Skip to main content

Environments (AWS accounts) architecture

Diagram

OUs and SCPs

Explanation

The Modernisation Platform sits within the MOJ’s AWS Organization. The MOJ’s AWS Organization groups accounts by business units as AWS Organization Organization Units (OUs).

For example, LAA AWS accounts sit within the LAA OU, and OPG AWS accounts sit within the OPG OU.

OUs can be up to 5 levels deep within the AWS Organization.

The Modernisation Platform has its own organization unit, which all applications within the Modernisation Platform sit in. Our OU sits alongside the Cloud Platform OU and is a child of the Platforms & Architecture OU.

Under the Modernisation Platform OU, we have 3 child OUs -

Organization Unit Description
Modernisation Platform Core This contains all of our core platform AWS accounts.
Modernisation Platform Member This contains all of our member OUs and accounts.
Modernisation Platform Member Unrestricted This is a legacy OU which will be removed as we move unrestricted AWS accounts across to member accounts.

When a new environment is created, the Modernisation Platform automatically creates a new OU for the application which holds all of the environments (AWS accounts), and it sits within the Modernisation Platform Member OU.

For example, if you had an application, example-application, that required 2 environments, production and development:

  • we’d automatically create an OU called modernisation-platform-example-application
  • example-application-production and example-application-development AWS accounts would sit within the modernisation-platform-example-application OU, as a child of the Modernisation Platform Member OU

Benefits of using organization units

We make use of OUs as they simplify the ability to use service control policies (SCPs) and tagging policies.

This allows the Modernisation Platform team to build distinct SCPs or tagging policies that are scoped to only accounts that are part of the Modernisation Platform, or individual groups of accounts as OUs.

For example, we could attach a SCP to the modernisation-platform-example-application to deny the usage of anything apart from the EC2 or RDS service, which will be inherited by all of the accounts for example-application.

This page was last reviewed on 16 December 2024. It needs to be reviewed again on 16 June 2025 by the page owner #modernisation-platform .
This page was set to be reviewed before 16 June 2025 by the page owner #modernisation-platform. This might mean the content is out of date.