Morioh
Login
Ruby Schmitt

Ruby Schmitt

3 years ago

Multi-Account AWS Environments

First, we need to get a handle on what a multi-account environment is, why we want to have it, the best practices related to it, and how AWS Organizations is central to it.

AWS Organizations is an account management service that enables you to consolidate multiple AWS accounts into an organization that you create and centrally manage. AWS Organizations includes account management and consolidated billing capabilities that enable you to better meet the budgetary, security, and compliance needs of your business.

_— AWS — _What is AWS Organizations?

However, just knowing what AWS Organizations is and how to use it is just the tip of the iceberg. To get a more complete understanding of the issues around properly configuring multi-account environments, watch the video  AWS re:Invent 2019: Architecting security & governance across your landing zone (SEC325-R2).

No really, watch the video before continuing.

Key take-aways:

  • (3:10) With AWS, using multiple AWS Accounts is the best way to create comprehensive security/resource boundaries between teams, i.e., we should think of AWS Accounts as resource containers
  • (12:50) The AWS Organization master account should only contain resources related to setting up AWS Organizations itself
  • (13:35) Your AWS Organization should include a Security Organizational Unit (OU) with a _Log Archive _account aggregating all the logs from all the accounts in the AWS Organization; acting as a single source of truth. It should also have a Security Tooling account to house automated auditing tools
  • (19:41) Your AWS Organization should include an Infrastructure OU with a Network account to hold shared networking resources, e.g,. shared VPCs
  • (22:10) Your AWS Organization should include a Sandbox OU to hold individual developer accounts with fixed spending limits to be used for experimentation
  • _(22:50) _You AWS Organization should include a Workloads OU to hold accounts that mirror your development life cycle, e.g., Dev, _Pre-Prod _(aka Staging), and Prod
  • (38:29) While one can build a properly configured multi-account environment using a number of AWS services centered around AWS Organizations, AWS Control Tower is a no-cost* service that accomplishes this through a managed set of CloudFormation templates tied together with a user interface

*Note: There is no additional charge to use AWS Control Tower. However, when you set up AWS Control Tower, you will begin to incur costs for AWS services configured to set up your landing zone and mandatory guardrails.

#aws #aws-control-tower

AWS Control Tower By Example: Part 1

codeburst.io

AWS Control Tower By Example: Part 1

A hands-on walk-through of the the easiest way to set up and govern a secure, compliant, multi-account AWS environment based on best practices. AWS Organizations is an account management service that enables you to consolidate multiple AWS accounts into an organization that you create and centrally manage. AWS Organizations includes account management and consolidated billing capabilities that enable you to better meet the budgetary, security, and compliance needs of your business.

2.60 GEEK