The document discusses the management of AWS organizations using org-formation, highlighting the benefits of a multi-account setup such as improved security and scalability. It outlines the main use cases for infrastructure as code, continuous delivery, and organization-annotated CloudFormation. Additionally, it provides insights into serverless application design and encourages the reader to get started with AWS organizations and org-formation.

1. Managing your
AWS Organization
using org-formation
Olaf Conijn, IT Architect

2. • Full subsidiary of ABN AMRO
• Online savings since 2008
• 0.5 mio customers in NL and DE
• Combined savings & payments product
• Small organization (<160 fte)
• Focus on UX and customer value
About Moneyou

3. Moneyou <3 Serverless
We believe Serverless greatly improves
• Time to market of solutions built
• Ability to maintain the software we built
• Focus on delivering customer value
• Ability to demonstrate we are compliant

4. AWS Services typically used at Moneyou
• Some satisfy functional requirements
API GW, Lambda, DynamoDB, Step Functions
• Some satisfy nonfunctional requirements
SQS, SNS, CloudWatch
• Some satisfy IT Security requirements
Secrets Manager, IAM and AWS Organizations
Serverless, not FaaS

5. Serverless, not FaaS
Serverless services have:
• Inherently scalable
• Highly available
• Pay per use / no capacity planning
• Host security by AWS
• Compliant under PCI, SOC, ISO & others

6. AWS Organizations
• Account management service
• Provides API to create new AWS accounts
• Central insight in billing & cost analysis
• Hierarchically organize AWS accounts
• Apply policies to accounts

7. Probably for the same reason you don’t run
production software on development environments.
Why have multiple AWS accounts?

8. Why have multiple AWS accounts?
Benefits of a multi account setup
• Limited blast radius – because mistakes can happen
• Security boundary – simplifies implementing least privilege
• Data governance – control access to GDPR governed data
• Scalability – every account gets their own resource limits
• Cost monitoring – without tagging
https://dev.to/oconijn/off-to-a-great-start-with-aws-organizations-1i74
😲

9. Why have multiple AWS accounts?
Typical Serverless application design
• Resources: API GW, Lambda, SNS, Dynamo DB
• Services: Unit of deployment, high cohesion (within), low coupling
• Product: Value delivered to customer, multiple environments
By default, all resources within an account can be accessed by other
resources within that account (resource policy).
🤯

10. Why not use AWS Organization?
Reasons not to use AWS Organizations
• Didn’t know – well, not anymore
• Don’t care – fair enough
• Too Complex – we’ve fixed this
> npm i aws-organization-formation -g

11. AWS Organization Formation
Three main use cases
1. Infrastructure as code for AWS Organizations
2. Continuous delivery of account baseline
3. Cross account, cross region annotated CloudFormation

12. Infra as code for AWS Organizations

13. Infra as code for AWS Organizations
Support for
1. Infra as code support for AWS Organizations resources
2. Creating AWS Accounts, OUs and SCPs
3. Multiple models per AWS Organization
4. Setting up Account IAM Alias, Password Policy and Enterprise Support
5. Change sets that can be reviewed and applied

14. Continuous delivery of account baseline

15. Continuous delivery of account baseline
Support for
1. Defining tasks in a task file
2. Defining dependencies between tasks (DependsOn)
3. Task types: update-organization, update-stacks, include, CDK, SLS, ..
4. Extensibility (through event-bridge)
5. Task file parameters & expressions (like !Ref, !GetAtt and !Sub)

16. Organization annotated CloudFormation

17. Organization annotated CloudFormation
Support for
1. Deploying CloudFormation resources to multiple accounts
2. Referencing organization resources and attributes
3. Resolving !Ref across target AWS Accounts and Regions
4. Generating resources / producing resources `for-each` account in binding

18. Organization annotated CloudFormation
Comparison with CloudFormation StackSets
1. Both deploy stacks across multiple accounts / regions
2. Org-formation deploys stacks based on different parts of single templates
3. Org-formation supports cross account / cross region !Ref, !GetAtt
4. Support for CloudFormation, serverless.com, CDK

19. Thank you!
• No time like the current to get started with AWS Organizations!
• Try org-formation at
https://github.com/OlafConijn/AwsOrganizationFormation
• Reach out over email: olaf.conijn at moneyou.nl
• Questions, issues, stars & PRs are welcome!