How to Organize Your AWS Environment Using Multiple Accounts

Businesses who are just getting started with AWS, increasing their footprint on AWS, or want to improve an existing AWS environment should think about the most recent recommendations for arranging their AWS environments.

AWS clients are seeking for a strategy to build out their cloud foundations so that they may deploy production workloads as they establish their AWS Cloud presence. In addition, many customers desire the ability to build and move rapidly while being secure.

Customers might have multiple teams with different security and compliance controls that need to be isolated from one another. Some may have wholly different business processes or be a part of multiple business lines that require cost transparency.

Customers require precise security boundaries, direct control and visibility of their restrictions and any throttling, and a complete billing separation that allows expenses to be directly mapped to underlying projects. The isolation built into an AWS account can assist you in meeting these requirements.

Using several AWS accounts to isolate and manage your business applications and data can help you achieve operational excellence, security, dependability, and cost efficiency in most of the pillars of the AWS Well-Architected Framework.

Accounts in AWS Environment

In an AWS account, it stores your cloud resources and data. An account serves as an isolation border for identification and access control. You must explicitly provide access to two accounts when you need to exchange resources and data.

By default, no access to accounts is permitted. As an example, if you create separate accounts for your production and non-production resources and data, no access across those environments is allowed by default.

The number of accounts that best match your requirements can range from a few to hundreds, if not thousands. Managing numerous accounts causes the use of automation to reduce operational complexity.

It will also help you ensure efficient alignment with your security, governance, and operational requirements. AWS does not charge per account. Instead, you incur charges based on resources used, regardless of account quantity.

Stages of Adoption of Multiple Accounts in AWS Environment

AWS has defined a standard set of steps for cloud adoption based on its experience working with thousands of clients. These best practises should assist you in meeting your needs as you move forward with your cloud deployment.

You can start with a simple AWS configuration and gradually build and evolve it to acquire experience and expand your adoption. For example, if your firm is new to AWS, you might begin by creating one or more personal or team-managed accounts.

This work is typically done informally before more concentrated efforts to assess the value of AWS are conducted. There is often little investment made in organising and rationalising the number and purpose of accounts at this experimental and often informal stage.

Stages of Cloud Adoption

Project Stage

During the project stage of AWS adoption, you formalise your plans for your first few production deployments. It’s typical to start with a cloud foundation that satisfies your security, governance, and operational needs.

A workload is a collection of components that work together to provide business value. They frequently referred to the level of detail that business and technology leaders speak about to as a workload. Some examples of workloads are:
● Marketing websites
● Ecommerce websites
● Mobile app backends
● Analytic platforms

Workloads range in architectural complexity from static webpages to complex microservices, each with its own set of pricing and billing identification criteria. Rather using a single account to split your responsibilities, we advocate using multiple accounts. This strategy is intended to make it easier for you to fulfil your objectives.

Based on the success of those first few workloads, you’ll probably want to increase your use of AWS to reap even more business benefits. This motivation frequently leads to the adoption foundation stage.

Foundation Stage

Before dramatically growing adoption, invest in strengthening your basic cloud capabilities. Formalizing and expanding the structure of your AWS accounts to meet the needs of onboarding more teams and workloads is a frequent element of laying the groundwork for your AWS foundation.

At this stage, you need to design and prepare to manage your AWS environment to scale to meet your needs with no corresponding linear increase in headcount. As you plan for and perform large-scale migrations and deploy net-new cloud-native workloads, you can continue adjusting and enhancing your approach to using multiple accounts.

Design Principles for Organizing your AWS accounts

The following design principles are used to manage multiple accounts in AWS Environment. You can also use these principles to help guide your initial account design and strengthen it.

1. Organize based on security and operational needs

We recommend you to organize accounts using OUs based on function, compliance requirements, or a standard set of controls rather than mirroring your organization’s reporting structure.

2. Instead of accounts, apply security guardrails to OUs

Where feasible, we recommend you to apply security guardrails, for example, SCPs, to OUs rather than accounts so that you can more efficiently manage the distribution of barriers across accounts that have the same or similar requirements.

3. Avoid deep OU hierarchies

Overly complex structures can be difficult to comprehend and maintain. As a result, whereas AWS Organizations support up to five tiers of OUs, the recommended structure aims to employ OUs only when they are necessary.

4. Start small and expand as needed

When your demands cause the formation of new OUs, you can expand the structure of your AWS accounts. You shouldn’t have to spend a lot of time at the start of your adoption journey planning out how your AWS account structure will appear in a few years.

5. Avoid deploying workloads to the organization’s management account

Since privileged operations can be performed within an organization’s management account and SCPs do not apply to the management account, we recommend you limit access to an organization’s management account.

You should also restrict the cloud resources and data in the management account to only those that must be managed in the management account.

6. Separate production from non-production workloads

It’s best if you keep production and non-production workloads separate. Assign each production account for a single or small group of relevant tasks. To support your production workloads, we recommend that you assign a single workload to each production account or assign a small set of closely related workloads to each production account.

Consider separating workloads with different owners into their production accounts to simplify access management, streamline change approval processes, and limit impact for misconfiguration.

7. Use federated access to help simplify managing human access to accounts

We advocate leveraging AWS identity federation features such as AWS Single Sign-on (AWS SSO) or IAM integration with a third-party identity supplier. These capabilities allow you to control human user access to your AWS accounts using a standard identity provider and your existing workflows.

For programmatic access to their AWS environments, your human users utilise ephemeral credentials rather than long-term access keys with federated access. The usage of federated access eliminates the need for humans to create and manage IAM users in your AWS accounts.

Your human users can programmatically access their AWS environments with federated access instead of using long-term access keys. It eliminates the creation and management of IAM users in your AWS accounts for humans when you use federated access.

8. Use automation to support agility and scale

It’s critical to plan and manage your accounts so that you can respond quickly to business needs without increasing your personnel linearly. However, if you want to manage more than a few accounts, you must factor in the time it will take to set up processes and automate them.

Conclusion

Following the principles mentioned above, businesses can manage their multiple accounts on AWS Environment. For any assistance related to AWS Services, Perimattic is always there to help you.

Posted in