What is the hierarchical structure of resources in AWS?

AWS contains thousands of services, all of which appear to be separate units. Going deeper into the structure of AWS resources, you will see that there is a hierarchy to manage how all services work, how you interact with them, and how users and service accounts manage them.

Learn about the four hierarchies (Organizations, Organizational Units, Member Accounts, and Resources) and how they work in the real world.

The hierarchical structure explained

In AWS, there are four measures of hierarchical structure, which are as follows:

  • organization
  • organizational unit (OU)
  • Account
  • Resource

This hierarchy is common to all clouds. Azure has five metrics in the hierarchy and Google Cloud has four. A resource hierarchy helps users understand how components are organized within their AWS account. For example, some questions to ask include the following:

  • Is the structure flat or are there multiple AWS accounts that need to be managed?
  • Do you develop policies for each AWS account?
  • Do AWS accounts communicate with each other and send data?

From a technical decision and security perspective, administrators must decide what AWS accounts will look like, what policies will be in place, and what resources they will use.

Suppose you have two AWS accounts, one for development and one for production, and they communicate with each other. Although this scenario is ideal for deployment and testing, it can open several security holes if there is no access control. For example, you might accidentally deploy test code to production when you wanted it to go to the development environment.

An example of the resource hierarchy structure in AWS

Organization

Think of an organization like a house frame. It is well built, allows you to protect the resources inside and ensures that everything is safe. An organization in AWS is how you centrally manage your AWS environment. It allows you to do the following:

  • focus on keeping your accounts secure as your environment grows;
  • provision accounts centrally;
  • audit environments for compliance purposes;
  • share resources; and
  • optimize billing.

It is the main access point to all the tasks you perform in AWS. Without organization, there is no structure. It acts as a parent for each member account managed by your organization. It contains all the resources, accounts, security control policies (SCPs), billing and auditing policies available in AWS.

Organizational unit

An OU is a way to almost replicate an organization’s SCPs to other member accounts. It allows administrators to manage and group member accounts within a single root. An OU can also contain other OUs and send SCPs to them. An organizational unit is intended to group together member accounts that have the same type of SCP or operational needs. For example, if you have a development account and a production account that share the same type of compliance needs for audits, administrators will group them into the same OU.

Organizational units can have exactly one parent, and each member account belongs to only one organizational unit.

There are a few recommended organization units, which are as follows:

  • security organization unit
  • OU infrastructure
  • sandbox OU
  • workload OU

Member account

Within an organization, administrators can create multiple resources and services. These services reside in a container-like structure called member accounts. Some of them include the following:

  • EC2 instances
  • S3 Buckets
  • VPC

Do not confuse a member account with a manager account. The management account is what creates the organization. It is the first account that has access to the organization’s resources, OUs and SCPs. You will usually see it referred to as the root account.

Resource

Resources include AWS resources and services. These are the components we work with every day, including EC2 instances, Lambda functions, and S3 buckets. However, these resources do not manage themselves. Organizations, OUs, and member accounts manage them. When you interact with resources, you interact with the rest of the AWS hierarchical structure.

Ida M. Morgan