This post is a notes-summary of AWS Best Practices for:

  • Governance, risk, and compliance when establishing your cloud presence (AWS Blog Page)
  • Organizational Units with AWS Organizations (AWS Blog Page)
  • Managing the multi-account environment using AWS Organizations and AWS Control Tower (AWS Blog Page)

PART 1 – AWS Best Practices for… Governance, risk, and compliance when establishing your cloud presence

  • Check the Management and Governance Lens (A Well-Architected Lens extension) This is built up from years of migrations and best practices learned along the way


Introducing a Landing Zone

  • Separation of concerns get more important and also difficult as companies grow in AWS
  • Separate costs for budgets and billing
  • Security enforcement, resource isolation

A Landing Zone is a…Well-architected multi-account AWS environment that is stable and secure

It is:

  • The starting point for your cloud journey
  • Built on AWS Organization w/ multiple accounts



Landing Zone Framework

Landing Zone Framework


Foundational OUs

Shared Services OU is for things like log archival, networking – Usually the responsibility of central teams

  • Infrastructure – Shared IT Services & Networking
  • Security – Log Archival, security tools, break-glass / forensics


Additional OUs

  • Sandbox OU to allow developers to have their own accountsa to spike/experiment
  • Workloads OU to isolate and tightly control production/app services
  • etc – These are a guide, pick which fits the company the best


Landing Zone Automation

2 Tools to assist here…

  • AWS Control Tower – AWS Managed Service to setup and govern multi-account env ** It uses AWS Organizations and a number of other services to automate the orchestration ** Easier option, minimal customisations; Still allows your to centrally manage governance and has preconfigured best practices
  • AWS Organizations – Use this directly, high levels of customisation Personal Note: Check out org-formation or Terraform

PART 2 – AWS Best Practices for… Organizational Units with AWS Organizations

  • Apply SCPs at an OU Level
  • SDLC OUs – Think of having SCPs at each stage of the lifecycle of the application
    SDLC OUs
    e.g Different Policies in different Stages/Environments (Dev vs Test)
  • Deployments OU – If you have different governance and operational models for CICD compared to accounts in Workloads OU (Prod / SDLC)
    ** Reduces dependency on shared CI/CD environments
    ** Pipelines and CICD should match the operational model of the software service it builds and deploys
    Deployments OUs
  • Infra OU may looks like this:
    Infra OU
  • Security OU for hosting security-related services, should be managed by Security team(s)
    Security OU
  • Log Archive – Audits
  • ReadOnlyAccess – Humans for Read-Only permission, cross-account role from here
  • Breakglass – Humans in rare scenarios/security incidents, special authorisation would be required, all access to this logged in detail
  • Tooling – MINIMAL Humans, Master Account for Guard Duty, Security Hub and Amazon Detective…Human Access for Admin purposes only, infrequent
    ** IaC should be heavily used
  • Sandbox OU for individuals wanting to play, should limit internet access if possible
    ** Individuals Accounts created in here e.g ColinWillisAccount
  • Workloads OUs
    Workloads OUs
  • Suspended OU – Accounts that are to be deleted from the Organisation
    ** Apply an SCP to deny all actions, add Tags for traceability if they need to be restored
    ** Accounts are permanent deleted after 90 days
  • Exceptions OU – Accounts that warrant exceptions to Security or Auditing conditions
    ** SCP may be applied directly to the accounts here

Think Top-Secret Project Account; it may have MORE scrutiny than standard accounts

PART 3 – AWS Best Practices for… Managing the multi-account environment using AWS Organizations and AWS Control Tower

Permissions Management 

** Preventative guardrails are SCPs that limit actions based on your policies.

** Detection guardrails are AWS Config rules paired with AWS Lambda

*** These detect noncompliant resources and alert you through the Control Tower dashboard for remediation



  • AWS offers a feature called Delegated Administration, which allows you to designate an account (such as via Security Tooling Account) ** Use this to then manage the following AWS security and audit services on behalf of the entire organization
AWS Audit Manager - automates the continuous collection of evidence to help you audit your use of cloud services.
AWS Config - detects and provides mitigation recommendations for incorrectly configured resources.
Amazon GuardDuty - detects unexpected and potentially unauthorized and malicious activity in your AWS environment.
Amazon Macie - continuously evaluates your content to identify business-critical or potentially confidential data.
AWS Trusted Advisor - identifies opportunities to improve stability, save money, or help close security gaps.
IAM Access Analyzer - helps you identify any resources or data in your AWS environment that are shared with external entities.
AWS Security Hub - provides you with security checks and recommendations across your organization.
  • Security users can then centrally view and manage security events
  • NOTE: You may need to enable certain Security Services at the management/organizational account level


Account Management 

  • After initial Organization setup, new or invited Accounts can be assigned to OUs
  • Integrated into AWS Organizations, these help you get accounts ready to use:

** AWS Resource Access Manager – Make resources available cross-account e.g EC2 Capacity Reservation, VPC Endpoints

** AWS CloudFormation StackSets – Share Stacks cross account e.g Automatically delete or create resources when an Account joins or leaves the Organization

To find out more about our AWS partnership, click here.


About Version 1

Version 1 is a leader in Enterprise Cloud services and was one of the first AWS Consulting Partners in Europe. We are an AWS Premier Partner and specialise in migrating and running complex enterprise workloads in Public Cloud. Version 1 is a leader in Enterprise Cloud services and was one of the first AWS Consulting Partners in Europe. We have a policy of continuous investment in technology solutions that benefit our customers and are in the small number Amazon Web Services Partners to have achieved advanced partner status. Our team works closely with AWS to help our customers navigate the rapidly changing world of IT.