Following-on from the 'Landing Zones, Organizations, OUs and Multi-Account Environments blog', I decided to "practice what I preach" with my personal AWS Accounts!
Currently I have 5-10 Accounts for different workloads (spikes, storage of personal data, web app hosting etc); I have had these accounts for many years and I manually used AWS Organizations via the Console to create & manage them
NO guardrails or SCPs have been implemented, I have probably deployed & configured some AWS services wrong and I have probably created IAM users with broad (*) permissions
The purpose of this blog is to address the above concerns; To refactor my accounts into a Landing Zone that follows the AWS best practices.
The below Diagram shows my current Account structure
Taken from github org-formation; AWS Organization Formation is an Infrastructure as Code (IaC) tool for AWS Organizations.
org-formation orchestrates CloudFormation and AWS Organizations for account creation and resource provisioning
Tasks files can be added to enable a variety of Automated features such as:
- OrganizationAccountAccessRole restrictions (SCPs)
- Budget Alarms
- AWS Access Key Rotation checks
- Enabling CloudTrail
- Centralising and Enabling Guard Duty
- Many IAM Configurations (Password Policy, force MFA)
- Many S3 Configurations (Prohibit Read & Write, Enable encryption)
- VPC Security Groups conform to (user-defined) ALLOW list
This feature list is what I intend to implement on my Accounts.
For the full list of available org-formation features, please refer to the 40mb pdf
Control Tower? Terraform? CloudFormation? org-formation? CDK?...
- It is not the purpose of this post to go into the detailed comparisons of these tools.
I am an AWS Architect at Version 1, I have experienced all of the above tools used to produce Landing Zones for Clients.
One of the Version 1 DAPx Landing Zone Accelerators is built upon org-formation, I have used this for my Landing Zone.
- It is not the purpose of this post to sell DAPx, please message me if you would like to know more about DAPx,
The below diagram shows the Target Account structure that is aligned to the best practices & architecture detailed in the 'LZs, Organizations, OUs and Multi-Account Environments blog'
org-formation is a highly flexible and powerful toolkit, to prevent content bloat I will provide only a few code/console snippets for key important featues.
Centralised AWS Config in the Master Account, AWS Config has access to all member/child accounts.
The LogArchive Bucket is in the LogArchive Account, this has Access Restrictions and Cleardown Policies by-default
AWS Config Findings Alerts (inc SNS Topic by-default), All AWS Config Managed Rules are available to use
Once I have remediated these I will feel a lot better about the security of my AWS accounts!
Thank you for reading, constructive feedback is welcomed.