AWS Organizations — Account Structure

Status: Living document. Last updated 2026-04-18. Purpose: SOC 2 CC6.6 (System Boundaries), CC7.1 (Infrastructure Management), HIPAA §164.308(a)(4) (Access Management), CMS EDE Phase 3 (isolation of production workloads).

Why multi-account

AskFlorence runs under AWS Organizations with separate member accounts for each environment. This gives us:

Blast radius containment — an IAM mistake or credential leak in staging cannot affect production.
Per-environment billing and cost attribution — prod vs. staging spend is impossible to co-mingle.
Per-environment audit trails — CloudTrail, GuardDuty, and Security Hub findings are scoped per account, simplifying SOC 2 and CMS EDE evidence.
Service Control Policy (SCP) enforcement — guardrails apply at the OU level and cannot be overridden by account admins.
Centralized logging to a segregated account — askflorence-log-archive is intentionally isolated from workload accounts; even compromised prod/staging credentials cannot tamper with logs.

Organization

Field	Value
Organization ID	`o-vefew8kgv1`
Root ID	`r-9qla`
Master (management) account	`778477254880` — askflorencehealth
Master account email	taha.abbasi@askflorence.health
Feature set	`ALL` (enables SCPs, aggregated billing, tag policies)
SCPs enabled	`SERVICE_CONTROL_POLICY` — ENABLED at root
Created	April 2026

Accounts

Account Name	Account ID	Root Email	OU	Purpose
`askflorencehealth`	`778477254880`	taha.abbasi@askflorence.health	Root	Management account. AWS Organizations, IAM Identity Center (SSO), consolidated billing, budget alerts, S3 `askflorence-data` source-file bucket, Terraform state. Should not run production workloads.
`askflorence-prod`	`039624954211`	aws+prod@askflorence.health	Prod	Production workloads. ECS Fargate web service, ALB, CloudFront, WAFv2, Secrets Manager, Atlas VPC peering (prod project).
`askflorence-staging`	`549136075525`	aws+staging@askflorence.health	Non-Prod	Staging / pre-prod. Identical stack to prod, scaled down. Targets Atlas staging project (M0).
`askflorence-log-archive`	`754660694122`	aws+log-archive@askflorence.health	Security	Centralized logging. Receives org-wide CloudTrail, AWS Config aggregation, VPC Flow Logs export, WAF logs. Object-locked S3 for immutable audit evidence. No workloads run here.

Organizational Units (OUs)

OU	ID	Parent	Members
Root	`r-9qla`	(top)	askflorencehealth (management)
Prod	`ou-9qla-8z7htmau`	Root	askflorence-prod
Non-Prod	`ou-9qla-o6snxwss`	Root	askflorence-staging
Security	`ou-9qla-c5psmqcy`	Root	askflorence-log-archive

Future OU expansion (not yet created): Sandbox under Root (for ad-hoc dev accounts), Audit under Security (for future compliance-tooling account if separated from log archive).

Service Control Policies (SCPs)

`ScpBaseline` (ID `p-oy7xxdzz`)

Attached to: Prod, Non-Prod, Security OUs (all workload OUs). Management account is intentionally not constrained by this SCP so Taha can continue to manage the org.

Guardrails enforced (v2, 2026-04-18):

Deny root user actions, except a narrow bootstrap allow-list (DenyRootExceptBootstrap). Root can still set up MFA, change password, check for access keys, and view account summary — one-time setup that every new AWS account requires. Everything else (workload actions, IAM user/role creation, service configuration) is denied to root. Day-to-day activity goes through SSO-issued roles. See change-log.md#2026-04-18T00:30Z for the allow-list rationale.
Deny organizations:LeaveOrganization. Prevents accidental or malicious detachment.
Deny disabling CloudTrail. Specifically: DeleteTrail, PutEventSelectors, StopLogging, UpdateTrail.
Deny disabling AWS Config. Specifically: DeleteConfigurationRecorder, DeleteDeliveryChannel, StopConfigurationRecorder.
Deny disabling GuardDuty. DeleteDetector, DisassociateFromMasterAccount, etc.
Deny disabling Security Hub. DisableSecurityHub, DisassociateFromMasterAccount, etc.
Region lock to us-east-1. All regional service calls must target us-east-1. Global services (IAM, CloudFront, Route 53, STS, Organizations, etc.) are exempted via NotAction. AWS service-linked roles are exempted via the PrincipalARN condition to avoid breaking background housekeeping jobs.

SCP JSON is not yet under Terraform — the authoritative copy is the policy attached in AWS Organizations (viewable via aws organizations describe-policy --policy-id p-oy7xxdzz). When Terraform takes ownership, the file path will be added here.

IAM Identity Center (SSO)

SSO instance ARN: arn:aws:sso:::instance/ssoins-722388357d4502e0
Identity store: d-90660882b4
Portal URL: https://d-90660882b4.awsapps.com/start

Permission sets

Name	Session	Managed policies	Intended use
`AdministratorAccess`	1h	`AdministratorAccess`	Break-glass, infra changes. Short session by design.
`PowerUserAccess`	4h	`PowerUserAccess`	Day-to-day engineering. No IAM/Org changes.
`BillingReadOnly`	4h	`job-function/Billing`	Finance review (future).
`SecurityAudit`	4h	`SecurityAudit` + `ReadOnlyAccess`	Read-only security posture review (Drata connector role uses same policy shape).

Assignments (as of 2026-04-18)

User	Accounts	Permission sets
taha.abbasi	askflorencehealth (mgmt), askflorence-prod, askflorence-staging, askflorence-log-archive	AdministratorAccess + PowerUserAccess on all 4

Local AWS CLI profiles

~/.aws/config on Taha's dev machine has profiles for each account:

Profile	Account	Role
`askflorence` or `askflorence-mgmt`	778477254880	AdministratorAccess
`askflorence-prod`	039624954211	AdministratorAccess
`askflorence-prod-power`	039624954211	PowerUserAccess
`askflorence-staging`	549136075525	AdministratorAccess
`askflorence-staging-power`	549136075525	PowerUserAccess
`askflorence-log-archive`	754660694122	AdministratorAccess

SSO session is shared (sso-session askflorence) — one aws sso login refreshes credentials for all profiles.

Budgets

All budgets live on the management account and filter by LinkedAccount for per-env attribution.

Budget	Amount	Filter	Alerts
`askflorence-prod-monthly`	$200	LinkedAccount = 039624954211	80% actual + 100% forecast → taha@askflorence.health
`askflorence-staging-monthly`	$100	LinkedAccount = 549136075525	80% actual + 100% forecast
`askflorence-log-archive-monthly`	$50	LinkedAccount = 754660694122	80% actual + 100% forecast
`askflorence-org-total-monthly`	$500	(none — all accounts)	80% actual + 100% forecast — hard cap alert
`askflorence-monthly-budget`	$100	(none — legacy, pre-migration)	Existing

Pending manual actions

[x] AWS Organizations BAA signed — accepted 2026-04-18 via AWS Artifact Organization agreements tab. Covers all current + future member accounts in o-vefew8kgv1. Signed PDF: evidence/aws-organizations-baa-signed-2026-04-18.pdf.
[ ] Enable IAM User/Role Access to Billing Information on mgmt root (778477254880). Chrome agent verification found that even AdministratorAccess SSO gets "You don't have permission to access billing information" — because the account-level toggle was never flipped. Fix: sign in as mgmt root, console top-right account menu → Account → "IAM User and Role Access to Billing Information" → Edit → Activate. Doesn't grant new permissions; just lets existing Billing-scoped policies take effect. After toggle, the 5 budgets (prod/staging/log-archive/org-total/legacy) become visible via SSO and CLI. See change-log.md#2026-04-21T03:00Z.
[x] Root password + MFA complete on all 3 new member accounts as of 2026-04-18. Virtual MFA devices registered. Zero root access keys confirmed. Day-to-day access is SSO AdministratorAccess / PowerUserAccess. See change-log.md#2026-04-18T00:45Z.
[ ] Physical seal of root credentials (password vault entry per account + MFA recovery codes in a physical safe) — Taha's personal hygiene task, outside AWS infra scope.

account-inventory.md — full service + account inventory across the company
access-control.md — access granting/revocation process
change-log.md — timestamped log of infra changes (this document was added at row #1 of that log)