AWS Organizations Design Considerations
Food for thought before building your cloud estate
Introduction
A common misconception is that only large enterprises need to use multiple accounts within the AWS ecosystem (or cloud in general, for that matter). There are multiple reasons why any organisation or even individual should use a multi-account setup. These include ease of management after setup, cost-efficiency, security, simplified billing, and more.
AWS Organizations is a service provided on the AWS platform that allows you to centrally govern and manage your AWS environment. This makes it easier to scale, optimise, and secure your resources and applications. Therefore, it is critical for any size organisation to design this layout carefully. In this article, I will explore a few design considerations and recommendations for creating your AWS Organization.
Design Considerations
1. Define your Organisational Structure
The first step in designing your AWS Organization is considering your business/use case. Keeping the future in mind, as well as/and therefore flexibility, you should consider the following elements:
Core accounts: These are the foundation of your AWS Organization and often include management, security, billing, logging, and archiving accounts.
Business unit accounts: Accounts and Organizational Units (OUs) should be created per business unit or department.
Environmental accounts: There should be separate accounts for the different deployment environments. Some choose to have just two (minimum recommended) for development/testing and production, but a typical setup would include four: Development, Testing, Acceptance, and Production (DTAP).
Another approach could be creating Organizational Units for Infrastructure, Security, Sandbox, Workload, and Suspended. This will heavily depend on the size and purpose of the Organization being created.
2. Tagging Strategy
A consistent tagging strategy across your AWS Organization (accounts and resources) helps you categorise resources, apply security policies, track costs, and perform other management and analytical tasks. Some things to keep in mind when tagging include:
Implement a tagging policy that clearly defines mandatory and optional tags.
Standardise your tags within this policy to ensure ease of use and consistency.
3. Service Control Policies (SCPs)
Service Control Policies (SCPs) allow you to control access to AWS services within your AWS Organization. SCPs can be used to set fine-grained permissions at both Organization or Organization Unit levels. Best practices for SCPs include:
The principle of least privilege (limiting permissions to only what is required for the function of that account...no more...no less),
A regular review of the policies and to adapt them as requirements change, and
The implementation to enforce security and compliance standards and regulations.
4. Cross-Account
Cross-account roles should be created to allow access and resource sharing between accounts. These roles enable you to establish trust relationships between accounts, ensuring secure communication. When creating cross-account roles:
Limit permissions to only what is necessary for the specific use case.
Utilise AWS Identity and Access Management (IAM) to define and manage the roles.
5. Centralize Logging and Monitoring
Implement centralised logging and monitoring to gain visibility and security across all accounts. Consider the following:
Use AWS CloudTrail and Amazon CloudWatch Logs for centralised audit and access logs.
Implement a Security Information and Event Management (SIEM) solution to aggregate and analyse logs from multiple accounts.
Set up alarms and notifications to quickly respond to security events.
6. Establish a Budget and Cost Management Strategy
With multiple accounts, managing costs becomes crucial. Create a budget and cost management strategy that includes the following:
Implementing AWS Cost Explorer to track spending and forecast costs.
Utilising AWS Budgets to set cost and usage alerts.
Allocating costs to different accounts and business units for accountability.
7. Regularly Review and Audit Your AWS Organization
Maintaining a well-organised AWS Organization is an ongoing process. Schedule regular reviews and audits to:
Ensure compliance with organisational policies and security standards.
Optimise costs by identifying underutilised or idle resources.
Adapt to changing business requirements and account structures.
A potential solution: Control Tower
Of course, a special mention should be made about AWS Control Tower. Whilst out of the scope of this article, if you are interested in reading more about this (an article will be published later), feel free to see the best practices from AWS here.
Conclusion
Designing an AWS Organization with many accounts requires careful planning and ongoing management. By following these design considerations, you can create a robust and secure organizational structure that aligns with your business needs, enhances security, and maximises the efficiency of your cloud resources. When designed thoughtfully, AWS organizations can empower your organisation to scale and innovate with confidence in the cloud.
This article aims to be a "food for thought" article, and articles published at a later point in time will address some solutions in more detail.
If you found this helpful, please buy me a coffee!