I'm managing the AWS setup for my small company as we transition some of our resources and start offering services to clients. I've already created the organization account and am now setting up the Organizational Units (OUs). Currently, I plan to have OUs like Security, Infrastructure, Sandbox, Workloads, Policy Staging, and a few others. My question is how to handle the organization of clients within this structure.
For instance, I have three clients: X, who needs a website, database, and API; Y, who just wants an API; and Z, who is looking for a combination of services like AWS Amplify, S3, API, and Lambda. Should I create a separate OU for each client and then add the additional OUs under them? Or should the clients be grouped under the existing OUs I've created? Basically, I'm trying to decide between:
- Option 1: Create a client-focused OU with sub-OUs for Security, Infrastructure, Sandbox for each client.
- Option 2: Keep the existing OUs and place each client inside those categories.
I'm new to this level of AWS management, and I want to make sure I set things up correctly to avoid complications down the line. Any advice would be greatly appreciated!
3 Answers
Great points made here! It's crucial to think of OUs as a way to manage groups of accounts rather than individual resources. Creating a separate account for each client and placing those into OUs makes managing permissions and responsibilities much simpler. You could even consider additional structures, like naming conventions or tags, to keep things organized further!
I was actually in your shoes before! What I found worked best was to group clients into separate accounts rather than mixing everything into the same OUs. It not only helps to keep everything clean and manageable, but you can tailor IAM policies and security settings for each client independently. Plus, when your business grows, this structure will make scaling much easier!
You're definitely on the right path thinking about OUs! Instead of mixing your client-specific resources under each existing OU, consider creating a separate account per client. This way, you can keep things neatly organized and maintain strong security controls. For example, you can dedicate a Customer OU and place each client's account there. This will help you with clear separation, especially regarding data security and access policies.
Related Questions
How To Get Your Domain Unblocked From Facebook
How To Find A String In a Directory of Files Using Linux