Organize your AWS cloud with multi-account strategy
When an organization starts or expands its footprint on the cloud, a well-architected solution will keep environments of multiple business initiatives isolated from each other due to varied security and compliance needs.
In case of AWS Cloud, a proven and successful strategy is to use a well-planned structure with multiple accounts and multiple Organizational Units. It not only defines explicit security boundaries but also facilitate cost mapping to respective projects. With adoption of multi-account strategy comes the challenge of efficiently managing and administering all these accounts. AWS addresses this problem via AWS Organizations and AWS Control Tower.
In this article, I will talk about the design principles for a multi-account environment and benefits of adopting a multi-account strategy.
Principles for designing a multi-account environment-
- Grouping as per functional and security needs rather than mirroring companies reporting structure
- Application of security guardrails to OU’s rather than accounts for efficient management.
- Abstain from creating deep OU hierarchies unless you find a valid use case.
- Start with a subset of recommended OU’s and expand later as per need.
- No workloads should be deployed in management account.
- Always keep production and non-production workloads in separate accounts.
- If business initiatives call for iterative creation of new accounts, automate the process using standard configurations.
- Adopt MFA(Multi-Factor-Authentication) as a standard mechanism for root as well as all AWS user accounts.
- Use federated access if possible.
Benefits of a multi-account strategy-
- Workloads can be grouped based on business purpose and ownership.
- Distinct security controls can be applied depending on need of the environment.
- Promotes agility and innovation as you can separate sandbox, development accounts from production workloads.
- Direct mapping of cloud costs to projects.
- Access to sensitive data can be restricted.
- Limits scope of impact of adverse events like misconfiguration, malicious activities, or application related issues.
- Multiple IT operating models (like Traditional Ops, Cloud Ops, DevOps) can co-exist without impacting each other.
- Reduce the impact of AWS Service quotas and API request late limits by distributing workloads in different accounts.