Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Mastering AWS Organizations with Infrastructure as code

In this webinar, we will take a deep dive into AWS Organizations, what it is, and why you should use it. We will review how to use the open-source tool org-formation to manage your entire AWS Organization using infrastructure-as-code.

  • Be the first to comment

  • Be the first to like this

Mastering AWS Organizations with Infrastructure as code

  1. 1. Managing your AWS Organization using org-formation Olaf Conijn, IT Architect
  2. 2. • Full subsidiary of ABN AMRO • Online savings since 2008 • 0.5 mio customers in NL and DE • Combined savings & payments product • Small organization (<160 fte) • Focus on UX and customer value About Moneyou
  3. 3. Moneyou <3 Serverless We believe Serverless greatly improves • Time to market of solutions built • Ability to maintain the software we built • Focus on delivering customer value • Ability to demonstrate we are compliant
  4. 4. AWS Services typically used at Moneyou • Some satisfy functional requirements API GW, Lambda, DynamoDB, Step Functions • Some satisfy nonfunctional requirements SQS, SNS, CloudWatch • Some satisfy IT Security requirements Secrets Manager, IAM and AWS Organizations Serverless, not FaaS
  5. 5. Serverless, not FaaS Serverless services have: • Inherently scalable • Highly available • Pay per use / no capacity planning • Host security by AWS • Compliant under PCI, SOC, ISO & others
  6. 6. AWS Organizations • Account management service • Provides API to create new AWS accounts • Central insight in billing & cost analysis • Hierarchically organize AWS accounts • Apply policies to accounts
  7. 7. Probably for the same reason you don’t run production software on development environments. Why have multiple AWS accounts?
  8. 8. Why have multiple AWS accounts? Benefits of a multi account setup • Limited blast radius – because mistakes can happen • Security boundary – simplifies implementing least privilege • Data governance – control access to GDPR governed data • Scalability – every account gets their own resource limits • Cost monitoring – without tagging https://dev.to/oconijn/off-to-a-great-start-with-aws-organizations-1i74 😲
  9. 9. Why have multiple AWS accounts? Typical Serverless application design • Resources: API GW, Lambda, SNS, Dynamo DB • Services: Unit of deployment, high cohesion (within), low coupling • Product: Value delivered to customer, multiple environments By default, all resources within an account can be accessed by other resources within that account (resource policy). 🤯
  10. 10. Why not use AWS Organization? Reasons not to use AWS Organizations • Didn’t know – well, not anymore • Don’t care – fair enough • Too Complex – we’ve fixed this > npm i aws-organization-formation -g
  11. 11. AWS Organization Formation Three main use cases 1. Infrastructure as code for AWS Organizations 2. Continuous delivery of account baseline 3. Cross account, cross region annotated CloudFormation
  12. 12. Infra as code for AWS Organizations
  13. 13. Infra as code for AWS Organizations Support for 1. Infra as code support for AWS Organizations resources 2. Creating AWS Accounts, OUs and SCPs 3. Multiple models per AWS Organization 4. Setting up Account IAM Alias, Password Policy and Enterprise Support 5. Change sets that can be reviewed and applied
  14. 14. Continuous delivery of account baseline
  15. 15. Continuous delivery of account baseline Support for 1. Defining tasks in a task file 2. Defining dependencies between tasks (DependsOn) 3. Task types: update-organization, update-stacks, include, CDK, SLS, .. 4. Extensibility (through event-bridge) 5. Task file parameters & expressions (like !Ref, !GetAtt and !Sub)
  16. 16. Organization annotated CloudFormation
  17. 17. Organization annotated CloudFormation Support for 1. Deploying CloudFormation resources to multiple accounts 2. Referencing organization resources and attributes 3. Resolving !Ref across target AWS Accounts and Regions 4. Generating resources / producing resources `for-each` account in binding
  18. 18. Organization annotated CloudFormation Comparison with CloudFormation StackSets 1. Both deploy stacks across multiple accounts / regions 2. Org-formation deploys stacks based on different parts of single templates 3. Org-formation supports cross account / cross region !Ref, !GetAtt 4. Support for CloudFormation, serverless.com, CDK
  19. 19. Thank you! • No time like the current to get started with AWS Organizations! • Try org-formation at https://github.com/OlafConijn/AwsOrganizationFormation • Reach out over email: olaf.conijn at moneyou.nl • Questions, issues, stars & PRs are welcome!

×