Cyber.AWS OU Structure - Kahuna915/Capstone-Cloud-Integration GitHub Wiki
On this page, we are creating a guideline and multiple SCP policies that will be useful for our organization.
There are currently three separate OU's, each dedicated to a different purpose. The first is Cyber Admins, a management OU. The second, is AWS Classroom, a classroom OU designed to hold all of the normal user accounts. And the third is a Sandbox, for when new policies are created and need to be tested before going live in the production environment.
The Cyber Admin OU's purpose is to hold the management accounts of cyber.AWS. These accounts will have almost full permission to the entire organization. With restrictions on Billing and leaving the organization, the OU will have access to any resource, providing access to AWS's full suite of services.
The AWS Cloud Class is the first class we are attempting to create. With our team taking the class in the past, we came across many issues with permission. Whether it be a lack of access or AWSAcademy not providing all features, we aim to make the cloud class more manageable and accessible. The member accounts in this OU will not have access to every resource, but only resources that will be used within the scope of the class. Creating an OU this way will follow a least-privileged security architecture, alongside providing customization if/when the class evolves and changes.
The Sandbox OU is created to allow management a safe environment to test new policies, change SCPs', and work with new services. Instead of testing on the in-production class members, there will be a safe and secure place to do the testing. These accounts will have their own set of SCP policies and they will not follow the exact same standard as any other OU. With the exceptions of billing and leaving the organization.