# Hierarchy

<figure><img src="https://3278866189-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fu4e057u3LTRKJEHFetwE%2Fuploads%2FYQ7iUTpMtIftruoBg5r6%2Fimage.png?alt=media&#x26;token=2ea2d4bb-6209-4f8d-94e8-21acd07762f9" alt=""><figcaption><p>1 Org, 2 OUs, 4 acounts</p></figcaption></figure>

### Hierarchy:

* Organization:
  * Organizational Units:
    * AWS Accounts

### **Organization**:

* Can contain multiple OUs
* Can enable logging on an organization level (Organizational cloudtrail logging). Force logging on all OUs and accounts.

### **Organizational Units:**

* Can dictate what goes on in OU.

### **Accounts:**

* Should be separated by workloads:
  * Account for DBs
  * Account for front end services
  * Account for log storage
  * Account for IR and analysis

### IR Specifics:

* **Understand the scope and the extent of a compromise**: Determine if the breach is limited to one AWS account or if an entire organization is compromised.
* **Containment**: If a breach occurs in a specific AWS account with no links to others, focus containment efforts on that account.
* **Logging**: If logging is enforced on the organization level in an AWS environment you can use that to investigate individual AWS accounts. Can also be used to enable logging on all future AWS accounts below Organization.

### **Recommendations**:

* Use **AWS Organizations** instead of separate **AWS accounts.**
* Organizations allow you to setup **Service Control Policies (SCP**). These policies can disallow AWS services within accounts like EC2 instances.
* **Don’t** use your management account for day to day operations (Account is used to setup entire Organization). Break glass account.
* Your management account’s account root user is the break glass account for if everything else is broken protect it as such


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://nk0.gitbook.io/dfir/enterprise-architecture/the-cloud/aws/fundementals/hierarchy.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.