AWS Organization

Accounts

Root (r-zdoj)
├── securityv0-mgmt (365066817305) — billing only, console only, no resources ever
├── SecurityV0 Platform (OU) — empty, future use
└── SV0 Demo Labs (OU)
    └── sv0-demo-lab-1 (087380083467) — Bedrock/MCP demo scenarios

Management account: Console only. No API keys, no programmatic access, no deployed resources.
Member accounts: SSO via IAM Identity Center (us-east-2). Short-lived credentials, no static keys.
Credits: $5,000 via Mercury AWS Activate, applied to management/payer account.

Terraform Conventions

State: S3 bucket terraform-state-{account-id} + DynamoDB table terraform-locks (same name in every account). Versioning enabled, public access blocked. Never commit .tfstate to git.
Tags: All resources get Project=securityv0, Environment=demo-lab, ManagedBy=terraform via provider default_tags.
Naming: sv0-{purpose} for IAM roles, sv0-{scenario}-{function} for Lambda, sv0-{purpose}-{account-id} for S3 buckets.
Repo: sv0-demo-labs — one Terraform root per lab account.
Destroy when idle: Demo lab resources should be destroyable to preserve credits.

Accounts​

Terraform Conventions​

Accounts

Terraform Conventions