Note: This content was originally published at the Simple AWS newsletter. Understand the Why behind AWS Solutions. Subscribe for free! 3000 engineers and tech experts already have.
Managing Multiple AWS Accounts with Organizations and Control Tower
Services involved:
AWS Organizations: An account management service that lets you consolidate multiple AWS accounts into an organization that you create and centrally manage. It includes consolidated billing and centralized security with Service Control Policies.
AWS Control Tower: A service that helps you set up and govern a secure, multi-account AWS environment. It is an opinionated architecture that builds out a multi-account architecture with pre-configured security and access settings.
Each AWS Account should serve one single purpose and hold one workload (one environment for one application, for example the production environment for App 1). Accounts are grouped into Organizational Units (OUs).
This is an example account structure:
Benefits of using AWS Organizations
Consolidated billing: You only put your credit card details in the root account, and all AWS bills from all accounts are billed to the root account
Centralized management: You can create new accounts and manage existing accounts from the Organizations console in the root account
Improved security: Using Service Control Policies.
How to set up an Organization
Create a new AWS account. This is going to be the root account of your Organization
-
Set up an Organization in that account. There's two ways to do it:
- Set it up with Control Tower (preferred method)
- Manually create the Organization
Create Organizational Units. Use them to group your accounts, for example by project.
-
Set up the following shared accounts (don't worry, accounts are free)
- Log archive: You'll send all logs into this account, for centralized management and security.
- Security: For security access and audits.
- Shared services: This account will hold anything that can be shared across accounts, such as CI/CD pipelines
Set up one account per environment per project. For example, if you have 2 projects called Project 1 and Project 2, each with development and production environments, you'd set up the following accounts: Project 1 dev, Project 1 prod, Project 2 dev, Project 2 prod. Make sure these are set up in the correct Organizational Unit, for example Project 1 OU for all Project 1 accounts.
Set up Service Control Policies
Don't use the root account for anything else.
If you already have an account with existing resources, create a new account to use as the root, and invite your existing account into the Organization
Resources
A Secure Cloud's Service Control Policies are a great starting point for setting up your own Service Control Policies. Even if you know what you're doing, check them out.
Understand the Why behind AWS Solutions.
Join over 3000 devs, tech leads, and experts learning how to architect cloud solutions, not pass exams, with the Simple AWS newsletter.
- Real-world scenarios
- The Why behind solutions
- How to apply best practices
If you'd like to know more about me, you can find me on LinkedIn or at www.guilleojeda.com
Top comments (0)