Managing your
AWS Organization
using org-formation
Olaf Conijn, IT Architect

• Full subsidiary of ABN AMRO
• Online savings since 2008
• 0.5 mio customers in NL and DE
• Combined savings & payments product
• Small organization (<160 fte)
• Focus on UX and customer value
About Moneyou

Moneyou <3 Serverless
We believe Serverless greatly improves
• Time to market of solutions built
• Ability to maintain the software we built
• Focus on delivering customer value
• Ability to demonstrate we are compliant

AWS Services typically used at Moneyou
• Some satisfy functional requirements
API GW, Lambda, DynamoDB, Step Functions
• Some satisfy nonfunctional requirements
SQS, SNS, CloudWatch
• Some satisfy IT Security requirements
Secrets Manager, IAM and AWS Organizations
Serverless, not FaaS

Serverless, not FaaS
Serverless services have:
• Inherently scalable
• Highly available
• Pay per use / no capacity planning
• Host security by AWS
• Compliant under PCI, SOC, ISO & others

AWS Organizations
• Account management service
• Provides API to create new AWS accounts
• Central insight in billing & cost analysis
• Hierarchically organize AWS accounts
• Apply policies to accounts

Probably for the same reason you don’t run
production software on development environments.
Why have multiple AWS accounts?

Why have multiple AWS accounts?
Benefits of a multi account setup
• Limited blast radius – because mistakes can happen
• Security boundary – simplifies implementing least privilege
• Data governance – control access to GDPR governed data
• Scalability – every account gets their own resource limits
• Cost monitoring – without tagging
https://dev.to/oconijn/off-to-a-great-start-with-aws-organizations-1i74
😲

Why have multiple AWS accounts?
Typical Serverless application design
• Resources: API GW, Lambda, SNS, Dynamo DB
• Services: Unit of deployment, high cohesion (within), low coupling
• Product: Value delivered to customer, multiple environments
By default, all resources within an account can be accessed by other
resources within that account (resource policy).
🤯

Why not use AWS Organization?
Reasons not to use AWS Organizations
• Didn’t know – well, not anymore
• Don’t care – fair enough
• Too Complex – we’ve fixed this
> npm i aws-organization-formation -g

AWS Organization Formation
Three main use cases
1. Infrastructure as code for AWS Organizations
2. Continuous delivery of account baseline
3. Cross account, cross region annotated CloudFormation

Infra as code for AWS Organizations

Infra as code for AWS Organizations
Support for
1. Infra as code support for AWS Organizations resources
2. Creating AWS Accounts, OUs and SCPs
3. Multiple models per AWS Organization
4. Setting up Account IAM Alias, Password Policy and Enterprise Support
5. Change sets that can be reviewed and applied

Continuous delivery of account baseline

Continuous delivery of account baseline
Support for
1. Defining tasks in a task file
2. Defining dependencies between tasks (DependsOn)
3. Task types: update-organization, update-stacks, include, CDK, SLS, ..
4. Extensibility (through event-bridge)
5. Task file parameters & expressions (like !Ref, !GetAtt and !Sub)

Organization annotated CloudFormation

Organization annotated CloudFormation
Support for
1. Deploying CloudFormation resources to multiple accounts
2. Referencing organization resources and attributes
3. Resolving !Ref across target AWS Accounts and Regions
4. Generating resources / producing resources `for-each` account in binding

Organization annotated CloudFormation
Comparison with CloudFormation StackSets
1. Both deploy stacks across multiple accounts / regions
2. Org-formation deploys stacks based on different parts of single templates
3. Org-formation supports cross account / cross region !Ref, !GetAtt
4. Support for CloudFormation, serverless.com, CDK

Thank you!
• No time like the current to get started with AWS Organizations!
• Try org-formation at
https://github.com/OlafConijn/AwsOrganizationFormation
• Reach out over email: olaf.conijn at moneyou.nl
• Questions, issues, stars & PRs are welcome!