This presentation focus on evolution of AWS Account & the need for multi-account. What is AWS Organizations, how do you setup and use it effectively as well as efficiently create and manage multiple AWS accounts with consolidated billing, centralized logging, security and controlled policy. We will have look at the Service Control Policy, a sample multi-account strategy and the best practices while dealing with multi-accounts.
6. What is an AWS Account?
A Container for your AWS Resources
You can create / manage resources in
your account
Access controlled through Identity &
Access Management
7. Evolution of AWS Adoption
Incrementally
& Organically
Mergers &
Acquisition
Security &
Compliance
Isolation of
Application or
Environment
14. What is AWS Organizations?
Central governance and management across all
your AWS accounts
15. AWS Organizations - Key Features
Manage & define your organization and
accounts
Control access and permissions
Audit, monitor, and secure your
environment for compliance
Share resources across accounts
Centrally manage costs and billing
16. AWS Organizations – Steps to Create & Configure
Create
organization
Create
organizational
units
Create
or
Invite
member
Account
Create
service
control
policies
Test
Restrictions
AWS Organizations creates OrganizationalAccountAccessRole in member account
Member account to request for root user password
19. AWS Organizations – Components …
Ø Invitation - The process of asking another account to join your organization
Ø Handshake - A multi-step process of exchanging information between two parties
Ø Feature Set
Ø All Features - shared billing functionality + all features (default)
Ø Consolidated billing - shared billing functionality
Note: All features enabled back to consolidated billing features is not allowed
Ø Service Control Policies
Ø Tag Policies
Ø Allow lists vs Deny lists
Ø Default is FullAWSAccess; replace with desired set of permissions
Works with All Features
20. AWS Organizations – Access Mechanisms
AWS Management
Console
AWS Command Line
Tools
AWS SDKs
AWS Organizations
HTTPS Query API
35. Service Control Policies
• SCPs can be enabled or Disabled in the root
• No impact on master account; impacts linked
accounts only
• Don’t grant permissions; only ALLOW or DENY
• Example:
• SCP for Master OU to DENY CloudTrail for member
accounts;
All logs will be recorded by CloudTrail in master account
• SCP for "database" account to allow only database service
access
Any user, group, or role in "database" account is denied
access to any other service's operations.
47. Log Everything
Centrally
AWS
CloudTrail
• Enable in All regions
• Log to central bucket in security
account
AWS
Config
• Turn on & log to central
bucket in security account
• Include global resources
VPC
Flowlogs
Application
Logs
Amazon S3
Amazon
Glacier
48. Log Everything
Centrally
AWS
CloudTrail
•Enable in All regions
•Log to central bucket in security
account
AWS
Config
•Turn on & log to central bucket in
security account
•Include global resources
VPC
Flowlogs
Application
Logs
Amazon
ElasticSearch
Amazon S3
Amazon
Glacier
Amazon EC2 Amazon
CloudWatch
49. Identity & Access Management
• IAM
• AWS Active Directory
Service
Cross-
account
Roles
• SAML
• Custom Identity Providers
• Web IdentitiesFederation
51. Managing Multi-Accounts – Best Practice
Ø Use a group alias rather than an individual email address as the
account email address
Ø Create and implement AWS tagging standards across your
accounts
Ø Verify Compliance regularly
Ø Leverage compliance monitoring scripts to monitor your accounts