Wrangling Multiple AWS Accounts with AWS Organizations
•Download as PPTX, PDF•
1 like•72 views
James Kingsmill - AWS Public Sector Summit 2017
Recommended
More Related Content
Recently uploaded
Recently uploaded (20)
Featured
Featured (20)
Wrangling Multiple AWS Accounts with AWS Organizations
- 1. James Kingsmill Cloud Enablement Team Geoscience Australia
- 3. Background 650 Staff Highly technical 40 AWS accounts 200% growth rate
- 4. How do we create new AWS accounts?
- 5. First you... Have a credit card
- 6. Then you... Have a credit card Have a unique group email address
- 7. And then... Have a credit card Have a unique group email address Enter contact details
- 8. More details... Have a credit card Have a unique group email address Enter contact details Enter payment details
- 9. Oh okay... Have a credit card Have a unique group email address Enter contact details Enter payment details Enter captcha
- 10. I just... Have a credit card Have a unique group email address Enter contact details Enter payment details Enter captcha Receive automated phone call
- 11. Losing the will to continue... Have a credit card Have a unique group email address Enter contact details Enter payment details Enter captcha Receive automated phone call Handshake Consolidated Billing account
- 12. ಠ_ಠ Have a credit card Have a unique group email address Enter contact details Enter payment details Enter captcha Receive automated phone call Handshake Consolidated Billing account Manage root credentials, including MFA
- 13. Solution Self-service AWS account creation
- 14. Solution API Gateway Lambda S3 static website Cloudfront Terraform
- 22. Geoscience Australia Cloud Enablement Tom Butler Laura Stanford James Kingsmill Geodesy Brandon Owen
Editor's Notes
- I’m James, I’m Cloud Enablement lead here at GA
- You might know GA from Antony’s keynote and recently MH370
- Just to begin with, this is pretty hard in a bureaucracy
- This was a major blocker. Requests went through helpdesk to the Exchange team and sat in a queue. Low priority. Discovering email sub-addressing (thanks, DTA) was a huge victory
- Enter the company name, country, address, city, state, post code, phone number
- Enter your PIN from the robot
- Manual intervention from the owner of consolidated billing
- Either manage them yourself or give them to us (how to transfer?)
- Organizations advertised at Re-invent, Dec 2016 We were frothing at the mouth over the summer break Released in Feb 2017, we GeoHacked this together in March It’s not self-service YET - still waiting for S3 SSO - but it’s fully-automated (it just needs a Cloud team member to run it)
- The user hits R53 and gets directed to the Cloudfront distribution This directs them to the S3 static website. When the user hits create, it directs them to the API Gateway, which invokes the Lambda. The Lambda calls the Organizations API and creates an account. It then switches roles into the new account and creates the first user and assigns their temporary password. And like everything at GA, it’s all in Terraform. So you can create or destroy the whole stack with a single command.
- Acct name, group email address, first user and their (temp) password
- Auth for the S3 website - we’re hooking up our IdP to Cognito
- Unhelpful error messages, lots of spinning wheel
- Do you need a budget code? How is the Cloud team informed? What if you hit a service limit?
- The whole point of this - getting compute and storage into the hands of our scientists and developers much more quickly. IT is no longer a blocker - we’re leading the charge in getting this stuff to our smartest people.