AWS CLOUD MULTI-ACCOUNT

When an organization starts or expands its footprint on the cloud, a well-architected solution will keep environments of multiple business initiatives isolated from each other due to varied security and compliance needs.
In case of AWS Cloud, a proven and successful strategy is to use a well-planned structure with multiple accounts and multiple Organizational Units. It not only defines explicit security boundaries but also facilitate cost mapping to respective projects. With adoption of multi-account strategy comes the challenge of efficiently managing and administering all these accounts. AWS addresses this problem via AWS Organizations and AWS Control Tower.
In this article, I will talk about the design principles for a multi-account environment and benefits of adopting a multi-account strategy.

Principles for designing a multi-account environment- 

• Grouping as per functional and security needs rather than mirroring companies reporting structure

• Application of security guardrails to OU’s rather than accounts for efficient management.

• Abstain from creating deep OU hierarchies unless you find a valid use case.

• Start with a subset of recommended OU’s and expand later as per need.

• No workloads should be deployed in management account.

• Always keep production and non-production workloads in separate accounts.

• If business initiatives call for iterative creation of new accounts, automate the process using standard configurations.

• Adopt MFA(Multi-Factor-Authentication) as a standard mechanism for root as well as all AWS user accounts.

• Use federated access if possible.

Benefits of a multi-account strategy- 

• Workloads can be grouped based on business purpose and ownership.

• Distinct security controls can be applied depending on need of the environment.

• Promotes agility and innovation as you can separate sandbox, development accounts from production workloads.

• Direct mapping of cloud costs to projects.

• Access to sensitive data can be restricted.

• Limits scope of impact of adverse events like misconfiguration, malicious activities, or application related issues.

• Multiple IT operating models (like Traditional Ops, Cloud Ops, DevOps) can co-exist without impacting each other.

• Reduce the impact of AWS Service quotas and API request late limits by distributing workloads in different accounts.