I'm working for a small company that's moving resources to AWS and planning to offer services to clients. I'm tasked with setting up our AWS organization and am new to managing it at this level. I've created the organization account and am currently establishing the organizational units (OUs). So far, I have set up these OUs: Security, Infrastructure, Sandbox, Workloads, Policy Staging, Suspended, Individual Business Users, Deployments, and Transitional.
Now, I'm trying to figure out the best way to set up OUs for our clients. For example, if we have three clients: X wants a website, database, and API; Y just needs an API; and Z is looking to use AWS Amplify, S3, API, and Lambda, should I create an OU for each client with more OUs inside for the services they need? Or should I keep the clients within the existing OUs?
Should I go with:
- **Option 1:** Each client has their own OUs with subcategories for services like Security or Infrastructure, or
- **Option 2:** Existing OUs with clients listed under each service category?
I'm trying to avoid creating a confusing structure that I'll regret in a few years, so any insights would be appreciated!
3 Answers
It's a good idea to rethink your structure! OUs are mainly for account-level organization. You don't want to cram all individual resources under client names but keep them separated by accounts. So, go for separate accounts for each client and then have their specific OUs for workloads. That way, you maintain security and isolation.
It sounds like you're on the right track! Generally, it's best to separate accounts by client for clearer management and security. This way, each client can have their own OU within a larger structure. Your thinking about OUs for things like security controls and logging is spot on. Maybe consider creating a 'Customer OU' for each client, grouping their specific resources under that umbrella. It keeps everything tidy and simplifies billing and access control.
Totally agree with separating accounts for each customer! It definitely helps with data security and compliance. You should put each client account into an overarching OU. It gives you the flexibility to manage permissions better without mixing up different clients’ data. Using tags or naming conventions also helps keep everything organized. This way, it’ll be much easier to scale your services in the future.
Related Questions
How To Get Your Domain Unblocked From Facebook
How To Find A String In a Directory of Files Using Linux