# OU taxonomy template (multi-account governance)

Copy this tree into your architecture wiki. Adjust names to match your org; **do not**
create an OU per team — OUs are for **policy boundaries**, not org charts.

```
Root (management account — no workloads)
├── Security OU
│   ├── Log Archive account
│   ├── Audit / Security Tooling account
│   └── (optional) Break-glass / IR account
├── Infrastructure OU
│   ├── Network hub account(s) — TGW, egress, DNS
│   ├── Shared Services account — CI/CD runners, artifacts
│   └── (optional) Backup / DR hub
├── Sandbox OU
│   └── Individual sandbox accounts (auto-expire / SCP spend caps)
├── Workloads OU
│   ├── NonProd OU
│   │   ├── Dev accounts (per product line or per team — pick one rule)
│   │   └── Staging / Pre-prod accounts
│   └── Prod OU
│       ├── Tier-1 prod accounts (strictest SCP + RCP)
│       └── Tier-2 prod accounts
└── Exceptions OU  ← time-boxed only
    └── Legacy / migration accounts (exit date required)
```

## OU purpose matrix

| OU | Policy intensity | Typical SCP themes | Declarative / RCP |
|----|------------------|-------------------|-------------------|
| Security | Highest | Deny org leave; deny disabling CloudTrail/Config | RCP on log buckets |
| Infrastructure | High | Region allow-list; deny public S3 at org level | VPC BPA declarative on network accounts |
| Sandbox | Medium-high | Deny expensive services; low spend cap | Lighter declarative |
| Workloads NonProd | Medium | Deny prod data stores in dev; allow broader regions | VPC BPA |
| Workloads Prod | Highest | Deny root user; deny unapproved regions | RCP data perimeter + declarative |
| Exceptions | Custom | Documented exception SCP detach — **with expiry** | Minimal — goal is exit |

## Rules of thumb

1. **New accounts land in Sandbox or NonProd** — never straight to Prod OU.
2. **Prod OU is flat or two-tier** (Tier-1 vs Tier-2) — not one OU per microservice.
3. **Exceptions OU is a waiting room**, not a permanent home. Every account needs an `exit_by` date.
4. **Management account holds Organizations + billing only** — RCPs do not protect resources you keep there.

## When to split an OU

Split when **policy needs diverge** (e.g. HIPAA prod vs general prod), not when a new team joins.

## When to merge OUs

Merge when two OUs carry identical SCP/RCP/declarative attachments and differ only by team name.