Building a Multi-Account AWS Organization for EdTech

Why multi-account

A single AWS account cannot safely host production LMS tenants, telecom workloads, security audit tooling, and hundreds of student lab environments. Account boundaries are blast-radius control.

OU design

Seven organizational units map to operational intent:

• Infrastructure — identity, network, shared services, CI/CD
• Platform — data and analytics workloads
• Security — audit, log archive, security tools
• Workloads — production, staging, development
• Students — active and archived lab accounts
• Sandbox and Quarantine — experimentation and suspension

SCP strategy

Service Control Policies enforce guardrails at the OU level. Student OUs get deny-lists for high-risk services. Tag policies support GDPR labeling and cost allocation.

Identity federation

Authentik through LDAP into IAM Identity Center with permission sets for admins, staff, mentors, and students. One identity plane, many account boundaries.

When demand shifts

We retired EKS in late 2025 when multi-program demand contracted. Org spend fell ~47% from peak to trough. Active production clients moved to ECS Fargate. That is platform strategy responding to reality — not a cost-cutting failure.