Multi-Account AWS Organization
Landing zone, OU design, SCP guardrails, and FinOps for a multi-program EdTech platform.
Problem
Production LMS tenants, student labs, and security auditing could not coexist safely in one AWS account.
Constraints
- 18 student lab accounts with lifecycle management
- GDPR and CIS compliance requirements
- Federated SSO — no standing local IAM users
- Platform rationalization as program demand shifted
My role
As Technical Manager at Campusna, I designed and operated the organization — OU structure, SCP strategy, IAM Identity Center federation, account vending, and the EKS-to-ECS rationalization.
Outcome
- 100+ AWS accounts provisioned and managed over platform lifetime
- 29 active member accounts after rationalization
- 7 organizational units with SCP guardrails
- ~47% org spend reduction from peak to trough
- Per-tenant secrets isolation for multi-client LMS
Lessons learned
- Student OUs with SCPs isolate experimentation from production
- Retiring infrastructure when programs end is sound platform strategy
- Multi-account design pays off at lab and tenant scale