Detections
Analytics

2.1.4 Ensure Organizational Units are structured by environment and sensitivity

Information

Ensure that AWS Organizations Organizational Units (OUs) are structured primarily by environment (for example, production, non-production, sandbox) and sensitivity (for example, security, logging, shared services, regulated workloads), rather than mirroring the corporate org chart. OUs should group accounts that share similar security requirements and controls so that appropriate authorization policies and other guardrails can be applied consistently at the OU level.

A clear OU structure based on environment and sensitivity makes it easier to apply consistent guardrails and centralized security controls to accounts that have similar risk profiles and compliance needs. Poorly defined or ad-hoc OU structures complicate policy management, increase the chance of misapplied controls, and can lead to mixing workloads with different data sensitivities under the same set of controls.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

- Work with security, platform, and application teams to agree on a small set of top-level OUs such as:

 - Security / Management
 - Shared Services / Infrastructure
 - Prod
 - Non-Prod (dev, test, staging)
 - You may also define dedicated OUs for highly regulated workloads.

 -

In the AWS Organizations console (management account), navigate to AWS Accounts. Under the root, create the agreed top-level OUs. If needed, create child OUs under these.

 -

Export or list all existing accounts and their current OUs. Create a simple mapping from each account to its target OU based on environment and sensitivity.

 -

In the AWS Organizations console (management account), navigate to AWS Accounts. Move accounts into the new environment/sensitivity-based OUs according to your mapping.

 - Start with low-risk accounts (for example, sandbox and non-production) to validate effects of inherited policies and guardrails before moving production and high-sensitivity accounts.

 - After accounts have been moved, remove old OUs that no longer reflect the target structure.

 - Ensure no active accounts remain directly under the root unless explicitly justified and documented.

 - Update architecture docs, onboarding runbooks, and account request processes to require new accounts to be created in the correct OU based on environment and sensitivity.

Impact:

Restructuring OUs by environment and sensitivity can require moving accounts, changing inherited policies, and updating automation that assumes existing OU paths. This may introduce short-term operational overhead, including policy revalidation, testing of workloads under new guardrails, and coordination with application and platform teams to avoid unintended service disruption.

See Also

https://workbench.cisecurity.org/benchmarks/24575

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-4

Plugin: amazon_aws

Control ID: dbd3832309a0b4ba10b9117388cdf45eb1150e4556c5ba6951e828b387e34687