DEV Community

Cover image for Day 4 — AWS Organizations & Multi-Account Structure
Ismail G.
Ismail G.

Posted on

Day 4 — AWS Organizations & Multi-Account Structure

#architecture #aws #infrastructure #tutorial

AWS recommends a multi-account architecture as part of the AWS Well-Architected Framework and modern cloud governance practices.

On Day 4, we will prepare the AWS environment for long-term scalability by setting up:

  • AWS Organizations
  • Organizational Units (OUs)
  • Separate development and production accounts
  • Centralized access management with IAM Identity Center

This setup creates a cleaner and safer foundation for infrastructure, CI/CD pipelines, monitoring, billing control, and future team growth.

Step 1 — Verify AWS Organizations is Enabled

First, open:

AWS Console → AWS Organizations

If AWS Organizations is not enabled yet, activate it.

You should also verify that your current AWS account is acting as the Management Account.

The management account becomes the central control point for:

  • account creation
  • organization policies
  • consolidated billing
  • IAM Identity Center integration
  • cross-account governance

This account should be carefully protected because it has administrative control over the entire AWS organization.

Step 2 — Create Organizational Units (OUs)

Organizational Units help logically group AWS accounts.

Go to:

AWS Organizations → Root
→ Children
→ Actions
→ Organizational unit
→ Create new

Create the following OU: Workloads

Your structure will become:

Root
└── Workloads

OUs allow you to later apply:

Service Control Policies (SCPs)
security restrictions
centralized governance
account-level controls

to multiple AWS accounts at once.

Step 3 — Create AWS Accounts

Next, create separate AWS accounts for development and production environments.

Recommended accounts:

dev Development workloads
prod Production workloads

Production environments should contain only approved workloads and should follow stricter security and access policies.

Separating these environments significantly reduces operational risk.

Step 4 — Assign Accounts to the Workloads OU

After creating the accounts, move them under the Workloads OU.

Move:

etg-dev
etg-prod

This provides cleaner organization and allows centralized policy management later.

As your infrastructure grows, you can create additional OUs such as:

Security
Sandbox
SharedServices
Infrastructure

But for an early-stage startup, keeping the structure simple is usually the best approach.

Step 5 — Configure IAM Identity Center Access

Now configure centralized access using AWS IAM Identity Center.

Instead of creating IAM users separately inside each AWS account, AWS recommends centralized authentication and permission management through IAM Identity Center.

Assign appropriate Permission Sets to users for dev and prod:

AdministratorAccess
PowerUserAccess
ReadOnlyAccess

This approach provides:

  • centralized authentication
  • simplified user management
  • easier onboarding/offboarding
  • improved security visibility
  • cleaner cross-account access

It also prepares the organization for future integrations with:

external identity providers
SSO systems
enterprise access policies

Step 6 — Verify Cross-Account Access

Finally, test the complete setup.

Verify:

  • IAM Identity Center login works correctly
  • users can switch between accounts
  • appropriate permissions are applied
  • development and production accounts are accessible separately

At this point, your AWS organization is ready for scalable infrastructure management.

Top comments (0)