Copyright (c) 2026 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.

7.1.1. AWS Organizations Deployment and Configuration

First Principle: AWS Organizations provides the structural foundation for multi-account governance — organizing accounts into OUs, applying policies, and enabling centralized management of billing and services.

Core Concepts:
  • Organization: Root container for all accounts with a management account
  • Organizational Units (OUs): Logical groupings of accounts (by function, environment, or compliance level)
  • Management account: Special account that creates the organization. Minimize workloads here — use for governance only.
  • Member accounts: All other accounts. Apply policies via OU membership.
Recommended OU Structure:
OUPurposeKey Policies
SecuritySecurity tooling, log archive, forensicsRestricted access, log immutability
InfrastructureNetworking, shared services, DNSNetwork governance
Workloads (Prod)Production applicationsStrictest SCPs, compliance controls
Workloads (Dev)Development and testingMore permissive, cost controls
SandboxExperimentationBudget limits, no production data
SuspendedQuarantined accountsDeny-all SCP
Best Practices:
  • Dedicate the management account to governance — don't run workloads in it
  • Create a centralized logging account for CloudTrail, Config, and VPC Flow Logs
  • Create a security account for GuardDuty, Security Hub, and Detective administration
  • Use delegated administrators (not the management account) for security services

⚠️ Exam Trap: The management account is exempt from SCPs — SCPs don't apply to the management account. This is why you should never run workloads in the management account and should minimize its IAM principals.

Scenario: A security architect designs an organization with a Security OU containing the log archive and security tooling accounts, a Workloads OU with separate prod and dev sub-OUs, and a Suspended OU with a deny-all SCP for quarantined accounts.

Reflection Question: Why should the management account contain NO workloads, and what unique risk does it carry due to SCP exemption?

Alvin Varughese
Written byAlvin Varughese
Founder15 professional certifications