AWS Multi-Account Architecture and Best Practices

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
T A I P E I
10.15.19

AWS Multi-Account Architecture
and Best Practices
AWS 多帳戶架構與最佳實踐
Simon Wang 王舜民
Solutions Architect
Amazon Web Services
T A I P E I

Agenda
• About Multiple Account Strategy and “landing zone”
• What’s a landing zone?
• Implementing a landing zone – 2 Approaches
• Summary

How many AWS accounts do I need?

AWS Organizations
Master Account (★)
• Account used to create the
organization (payer account)
• Central management and
governance hub
Organizational Unit (OU)
• Set of AWS accounts logically
grouped within an organization

AWS Account - Best Isolation Boundary
Security/resource
boundary
API limits/throttling Billing separation
“If Team A can’t support Team B's app when paged
at 2 AM, the applications probably shouldn't be in
the same account.”

Why One Account isn’t Enough?
Billing
Many teams
Security / compliance
controls
Business process
Isolation

You Need a “landing zone”
H
• A configured, secure, scalable, multi-account AWS environment
based on AWS best practices
• A starting point for net new development and experimentation
• A starting point for migrating applications
• An environment that allows for iteration and extension over time

What accounts should I create?

Master Account
AWS Organizations Master
Network Path
Data Center
No connection to DC
Service control policies
Consolidated billing
Volume discount
Minimal resources
Limited access
Restrict Orgs role!
Cloud Platform Engineering
Platform Team

Core Accounts
Core Accounts
Network Path
Data Center
Foundational
Once per organization
Have their own development
life cycle (dev/qa/prod)

Core: Log Archive Account
Core Accounts
Log Archive
Network Path
Data Center
Versioned Amazon S3 bucket
Restricted
MFA delete
AWS CloudTrail logs
Security logs
Single source of truth
Alarm on user login
Limited access
Operation Team

Core: Security Account
Core Accounts
Log Archive
Network Path
Data Center
Optional data center
connectivity
Security tools and audit
Amazon GuardDuty
master / Amazon
Inspector / Firewall
Manager
Cross-account read/write
Automated Tooling
Limited access
Security
Security Team

Core: Shared Services Account
Security
Core Accounts
Log Archive
Network Path
Data Center
Connected to DC
Shared Services to whole
organization
• DNS
• LDAP/Active Directory
• Deployment tools
• Golden AMI
• Source Repo/Pipeline
• Scanning infrastructure
• Inactive instances
• Improper tags
• Monitoring
Limited access
Shared
Services
Platform Team
Operation Team

Developer Sandbox
Security
Core Accounts
Shared
Services
Network
Log Archive
Network Path
No connection to DC
Innovation space
Fixed spending limit
Autonomous
Experimentation
Developer
Sandbox
Developer Accounts

Team/Group Accounts
Developer
Sandbox
Security
Core Accounts
Shared
Services
Network
Log Archive
Network Path
Developer Accounts Data Center
Based on level of needed
isolation
Match your development
lifecycle
Team/Group Accounts
Application
Devops teams

Team: Dev Account
Developer
Sandbox
Team/Group Accounts
Security
Core Accounts
Shared
Services
Network
Log Archive
Network Path
Develop and iterate
quickly
Collaboration space
Stage of SDLCDev

Team: Pre-prod Account
Developer
Sandbox
Dev
Team/Group Accounts
Security
Core Accounts
Shared
Services
Network
Log Archive
Network Path
Connected to DC
Production-like
Staging
Testing
Automated deployment
Pre-Prod

Team: Production
Developer
Sandbox
Dev Pre-Prod
Team/Group Accounts
Security
Core Accounts
Shared
Services
Network
Log Archive
Network Path
Connected to DC
Production applications
Automated deployments
Limited access
Prod

Team: Shared Services
Developer
Sandbox
Dev Pre-Prod
Team/Group Accounts
Security
Core Accounts
Shared
Services
Network
Log Archive Prod
Network Path
Grows organically
Shared to the team
Product-specific common
services
Common tooling
Common services
Team Shared
Services

Action Plan for Landing Zone …
Create Organizations Master account
• Create temporary Amazon S3 bucket for AWS
CloudTrail logs
• Enable CloudTrail locally
• Enable AWS Organizations full feature
Create Log Archive account
• Create bucket(s) for security logs (AWS CloudTrail,
AWS Config)
• Enable MFA delete
• Enable versioning
• Define limited access bucket policy
• Add SCP to prevent s3:delete
• Backfill: Enable CloudTrail in organizations master
account to send logs to Log Archive account
• Backfill: Copy CloudTrail logs for actions that
happened between Organizations Master creation and
log archive
Create Security account
• Backfill: Cross-account roles with trust to Security account
for organizations master and log archive
• Read-only role
• Read/Write role (fewer permissions for assumption)
• <CommonCheckList>
• Create security tooling/AWS Lambda functions for security
checks
Create Shared Services account
• Connect via DX/VPN to DC
• Launch common services
• Directory services
• Limit monitoring
Create Team accounts

Common Checklist for Account Security
• Secure Root credentials
MFA
• OTP
• U2F could make this easier for managing them
• https://aws.amazon.com/blogs/security/how-to-create-
and-manage-users-within-aws-sso/
• Complex password
• Establish rotation policy
• Link to Organizations Master account if not already a
member
• Use group email/phone as the contact info
• Enable AWS CloudTrail in all regions, send to Log Archive
account
• Enable Amazon GuardDuty in all regions.
• Security Account as Amazon GuardDuty master
• Operationalize the findings
• Enable AWS Config, send to Log Archive account
• Enable appropriate AWS Config rules
• Amazon S3 bucket encryptions
• Amazon S3 world read/write
• ebs encryption etc...
• Create read-only cross-account Security role
• Create read/write cross-account Security role
• Create VPC (non-overlapping IP space)
• Enable federation into account
• http://federationworkshopreinvent2016.s3-website-us-east-
1.amazonaws.com/
• Define roles and access policies
• Peer/Privatelink Amazon VPC with Shared Services
• Add a policy for prefix naming conditions to every
account—For example, deny access to Lambda functions
that start with “security*”
• Review CIS Foundations Benchmark and leverage as
appropriate

Approaching to your ”landing zone”
AWS Landing Zone (ALZ):
• Implementation of a landing zone based on multi-account strategy guidance
• Is an AWS Solutions (not an AWS service) that can save time by automating the setup of an
environment while implementing an initial security baseline
AWS Control Tower (CT):
• AWS native-service version of AWS Landing Zone
H

Implementation - AWS Landing Zone

AWS Landing Zone Structure
Shared Services Log Archive Security
AWS Organizations

Master Account – SSO (Single Sign On)

Master Account - Account Vending Machine

Team/Group Account – Baselines
Enable Notification
Enable Config Rules
Create VPC, Delete default VPC,
enable Flow Log and peering
Strong PWD Policy
Setup Security Roles
CloudTrail to Log
Account
Enable GuardDuty

Shared Services Account
AD Service
Centralized Logging Search
Shared Service VPC Peering

Log Archive Account
S3 bucket for Centralized Logs
CloudTrail and Config History

Security Account
GuardDuty Master View
Compliance & Security Notifications

Implementation - AWS Control Tower

Control Tower - Set up an AWS landing zone
• Landing zone - a preconfigured, secure,
scalable, multi-account AWS environment
based on best practice blueprints
• Multi-account management using AWS
Organizations
• Identity and federated access management
using AWS SSO
• Centralized log archive using AWS
CloudTrail and AWS Config
• Cross-account audit access using AWS SSO
and AWS IAM
• End user account provisioning through
AWS Service Catalog
• Centralized monitoring and notifications
using Amazon CloudWatch and Amazon
SNS
Master account
AWS Control Tower AWS Organizations AWS Single
Sign-On
Stack
sets
AWS Service
Catalog
Log archive
account
Aggregate
AWS CloudTrail
and AWS
Config logs
Account
baseline
Audit account
Security cross-
account roles
Account
baseline
Provisioned
accounts
Network
baseline
Account
baseline
Amazon
CloudWatch
aggregator
Security
notifications
Core OU Custom OU AWS SSO
directory

Establish Guardrails (Baselines)
• Guardrails are preconfigured governance rules
for security, compliance, and operations
• Expressed in plain English to provide
abstraction over granular AWS policies
• Preventive guardrails: prevent policy violations
through enforcement; implemented using AWS
CloudFormation and SCPs
• Detective guardrails: detect policy violations
and alert in the dashboard; implemented using
AWS Config rules
• Mandatory and strongly recommended
guardrails for prescriptive guidance
• Easy selection and enablement on
organizational units
Organizational
units
Accounts
Enable
Enable
Output
Output
Output
Organizational
units
Accounts
Preventive guardrail
Granular AWS
policies
SCP
Detective/remediable
guardrails
Granular
AWS policies
AWS Config
rules
Always
compliant
Compliant
Non-
compliant

Guardrails

Account
Factory

Dashboard
for
Oversight

AWS Control Tower vs. AWS Landing Zone
• AWS Cloudformation-base solution
• Fully customizable/owned by customer
• Most regions supported
• Complete flexibility on account structure
• Complex requiring significant expertise
• Managed service by AWS
• Fixed blueprints and guardrails
• Four regions at launch
• Two non-configurable core accounts,
no Shared Service, no Amazon VPC in
core
• Self service guided deployment
configurable through GUI

Which One Should I Choose?
AWS Control
Tower
AWS Landing
Zone
AWS Control Tower capabilities
meet what you need
You are willing to start with
fresh new environment
You are willing to grow with the
managed service
You don't have a team that can
take on the complexity of
managing the AWS Landing
Zone Solution
You have an existing landing
zone that meets your current
needs and exceeds CT’s feature
set
You need full customization and
full control over every aspect of
the landing zone

Best Practice - Multi-account Strategy
Developer
Sandbox
Dev Pre-Prod
Team/Group Accounts
Security
Core Accounts
AWS Organizations Master Account
Shared
Services
Network
Log Archive Prod
Team Shared
Services
Network Path
Orgs: Account management
Log Archive: Security logs
Security: Security tools, AWS Config rules
Shared services: Directory, limit monitoring
Network: Direct Connect, Transit Gateway
Dev Sandbox: Experiments, Learning
Dev: Development
Pre-Prod: Staging
Prod: Production
Team SS: Team Shared Services, Data Lake

Benefits of “landing zone”
Set up a best-practices AWS environment

Resource to Get You Started
AWS Control Tower User Guide
https://docs.aws.amazon.com/controltower/latest/userguide/controltower-ug.pdf
AWS Control Tower Labs
https://controltower.aws-management.tools
AWS Landing Zone Solution
https://aws.amazon.com/solutions/aws-landing-zone/
AWS Landing Zone Online Tech Talks
https://pages.awscloud.com/Whats-New-in-AWS-Landing-Zone_2019_0514-ENT_OD.html

Thank you!
Simon Wang 王舜民
Solutions Architect
shunminw@amazon.com

AWS Multi-Account Architecture and Best Practices

AWS Multi-Account Architecture and Best Practices

Recommended

More Related Content

What's hot

What's hot(20)

Similar to AWS Multi-Account Architecture and Best Practices

Similar to AWS Multi-Account Architecture and Best Practices(20)

More from Amazon Web Services

More from Amazon Web Services(20)

AWS Multi-Account Architecture and Best Practices