🔖 Overview
This document outlines the AWS account structure, governance, and control strategy used across our organization.
It describes how AWS Control Tower, AFT, and SCPs interact to provide a compliant, secure, and automated multi-account landing zone — aligning with AWS Well-Architected and CIS Benchmarks.
🌍 Organizational Structure
| OU | Description | Primary Accounts |
|---|---|---|
| Security OU | Core compliance and security monitoring |
Log Archive, Audit
|
| Internal OU | Shared platform services and IAM root |
Shared Services, IAM/Root
|
| NPR Networking OU | Non-Production networking environment |
Internal Comms, External Comms
|
| PRD Networking OU | Production networking environment |
Internal Comms, External Comms
|
| Deprecated OU | Legacy accounts (no new workloads) | Various (read-only) |
🧭 Regional Strategy
| Component | Region | Rationale |
|---|---|---|
| IAM Identity Center (SSO) | us-east-1 |
Global endpoint for AWS SSO and Organizations |
| Control Tower Management Account |
us-east-1 backend |
Required by AWS |
| All Member Accounts |
eu-west-2 (London) |
Primary data residency & workload region |
| Backup / DR |
eu-west-1 (Ireland) |
Optional failover region |
💠 Conceptual Flow Diagram
┌──────────────────────────────────────────────┐
│ Management Account │
│ (AWS Organizations + Control Tower + AFT) │
└──────────────────────────────────────────────┘
│
┌──────────────────────────────────────────────┐
│ Control Tower Landing Zone │
│ • Security OU (LogArchive + Audit) │
│ • Creates baseline guardrails (AWS-managed) │
│ • Delegates to AFT for account provisioning │
└──────────────────────────────────────────────┘
│ Management Acct (us-east-1)
┌────────────────────┴────────────────────┐
│ │
┌──────────────────────────────┐ ┌──────────────────────────────┐
│ Account Factory for TF (AFT) │ │ AWS Organizations (Org Root) │
│ • GitOps: account requests │ │ • OU hierarchy (SEC, INT, │
│ • Customizations pipelines │ │ NPR, PRD, DEPRECATED) │
│ • Baselines, tagging, roles │ │ • SCPs attached per OU │
└──────────────────────────────┘ └──────────────────────────────┘
│ │
│ │
│ ┌────────────────────────────────────────┐
│ │ SCP layer (Preventive Guardrails) │
│ │ • Enforced at Org root / OU level │
│ │ • Deny/allow APIs before IAM evaluated │
│ │ • Prevents config drift or unsafe ops │
│ └────────────────────────────────────────┘
│
┌────────┴─────────┐
│ Enrolled Account │
│ (e.g. Internal, │
│ NPR, PRD, etc.) │
└──────────────────┘
🧩 Control Tower & AFT Integration
Landing Zone
- Deployed via AWS Control Tower in the management account.
- Establishes:
- AWS Organizations
- Log Archive and Audit accounts
- Baseline guardrails (AWS-managed)
Account Factory for Terraform (AFT)
- Provides GitOps-based account lifecycle management.
- Each account is provisioned using Terraform pipelines that:
- Enroll the account in Control Tower
- Apply OU-specific baselines (e.g., Config, logging)
- Tag accounts automatically
- AFT runs in its own AFT Management Account.
Account Hierarchy Diagram
Management Account
├── AWS Control Tower (Landing Zone)
├── AFT Pipelines (Account Factory for Terraform)
└── AWS Organizations (Root OU)
├── Security OU
├── Internal OU
├── NPR Networking OU
├── PRD Networking OU
└── Deprecated OU
🧰 Networking & Shared Services Strategy
| Service | Owning Account | Scope | Sharing Mechanism |
|---|---|---|---|
| Transit Gateway (TGW) | Internal Comms (per env) | Environment-specific | AWS RAM (within the env) |
| Internet Gateway (IGW) | External Comms (per env) | Environment-specific | Single point of entry – not shared |
| NAT Gateway (NGW) | Shared Services | Cross-environment | Single point of exit – not shared |
| Network Firewall (NFW) | Shared Services | Cross-environment | AWS RAM + TGW routing |
| VPC Endpoint Services | Shared Services | Org-wide | Route53 Reslover |
🔐 Governance & Security Controls
Governance is enforced using three layers:
| Layer | Type | Enforcement Mechanism |
|---|---|---|
| Preventive | Service Control Policies (SCPs) | AWS Organizations |
| Detective | Config / Security Hub / GuardDuty | Audit account |
| Proactive | CloudFormation Hooks / AFT Customizations | Terraform baselines |
🚫 Core SCP Pack (Preventive Guardrails)
1️⃣ Deny Root User Access
Prevents use of root credentials in any account.
{
"Sid": "DenyRootUser",
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"StringLike": {
"aws:PrincipalArn": "arn:aws:iam::*:root"
}
}
}
2️⃣ Restrict Regions (EU + us-east-1)
{
"Sid": "DenyOutsideApprovedRegionsExceptIdentity",
"Effect": "Deny",
"NotAction": [
"iam:*","organizations:*","route53:*","sso:*","support:*"
],
"Resource": "*",
"Condition": {
"StringNotEquals": {
"aws:RequestedRegion": ["eu-west-1", "eu-west-2", "us-east-1"]
}
}
}
3️⃣ Deny Unapproved Network Creation
{
"Sid": "DenyUnapprovedNetworking",
"Effect": "Deny",
"Action": [
"ec2:CreateInternetGateway","ec2:AttachInternetGateway",
"ec2:CreateNatGateway","ec2:CreateVpcPeeringConnection",
"ec2:CreateTransitGateway","ec2:DeleteTransitGateway"
],
"Resource": "*"
}
4️⃣ Restrict Service Creation
| Resource | Allowed Account(s) | SCP Condition |
|---|---|---|
| TGW (Transit Gateway) | Internal Comms (PRD/NPR) |
aws:PrincipalAccount = INC IDs |
| IGW (Internet Gateway) | External Comms (PRD/NPR) |
aws:PrincipalAccount = EXC IDs |
| NFW (Network Firewall) | Shared Services |
aws:PrincipalAccount = SSV ID |
| NGW (NAT Gateway) | Shared Services |
aws:PrincipalAccount = SSV ID |
| VPC Endpoint Services | Shared Services |
aws:PrincipalAccount = SSV ID |
5️⃣ Tag Enforcement
{
"Sid": "RequireStandardTags",
"Effect": "Deny",
"Action": ["ec2:RunInstances","rds:CreateDBInstance","s3:CreateBucket"],
"Resource": "*",
"Condition": {
"Null": {
"aws:RequestTag/Environment": "true",
"aws:RequestTag/Owner": "true"
}
}
}
6️⃣ Deny Org Tampering
Protects core logging and control-plane resources
{
"Sid": "DenyOrgTampering",
"Effect": "Deny",
"Action": [
"organizations:LeaveOrganization",
"cloudtrail:StopLogging",
"config:StopConfigurationRecorder"
],
"Resource": "*"
}
7️⃣ Deprecated OU Policy
{
"Sid": "DenyNewCreates",
"Effect": "Deny",
"Action": ["*"],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/Environment": "deprecated"
}
}
}
🧠 Control Layers Explained
| Layer | Description | Managed By |
|---|---|---|
| Control Tower | Creates baseline governance (OU, guardrails, log archive, audit) | AWS |
| AFT | Automates account provisioning, tagging, baseline controls | Platform team |
| SCPs | Prevent actions that violate org standards (region, network, security) | Org root |
| Delegated Security Accounts | Detect & monitor compliance (Config, GuardDuty) | Security team |
🪜 Deployment Workflow
| Step | Action | Tool |
|---|---|---|
| 1 | Enable Control Tower (Landing Zone) | Console / CLI |
| 2 | Bootstrap AFT management | Terraform |
| 3 | Create OUs + SCPs | Terraform |
| 4 | Submit account requests via AFT | GitOps |
| 5 | Apply OU-specific baselines | Terraform |
| 6 | Validate security controls | AWS Config / Security Hub |
| 7 | Continuous compliance | Detective + Proactive guardrails |
🧩 Future Enhancements
- Add Policy Staging OU for testing new SCPs.
- Integrate Proactive Controls (CloudFormation hooks).
- Automate SCP compliance drift detection using AWS Config custom rules.
- Add organizational backup plans (AWS Backup delegated admin).
