Updated: Jun 7, 2019
Written by: Vicente Aguilar, Cloud Architect and Trainer @ nubeGO
When working on large projects or big companies, AWS recommends to have separate accounts per team, business unit, project or environment (dev/test/prod) instead of just separate VPCs and IAM groups.
Following this multi-account architectural pattern, we gain not only network isolation between different workloads due to using different VPCs (which we could also have with one single AWS account), but also administration and resource control independence due to separate IAM users/policies and different service limits on each AWS account. But then we face the challenge of managing tenths or even hundreds (thousands?) of separate AWS accounts.
AWS Organizations solves this multiple account governance problem by grouping several AWS accounts under a tree-like hierarchy, and providing us with tools to centrally manage different billing, access control and overall governance aspects of the member accounts. Some of these tools include:
One consolidated bill at the end of the month and one single payment method for all the member accounts, instead of one bill per account, while maintaining the ability to drill down and visualise costs and usage data per account on the AWS Cost Explorer.
Resource usage aggregation across all member accounts, making it easier to reach higher volume discount levels on resources with a tiered pricing model (like network bandwidth or S3 storage) and thus optimising cost, a pillar of the Well Architected Framework!
Reserved Instances purchased on any member account are applied across the whole Organisation. This lowers the risk of using standard RIs, as if one account decided switching EC2 instance types covered by an instance reservation, that reservation would still be applied to EC2 instances of the appropriate type on another member account.
AWS Single Sign-On to centrally manage authentication to all member accounts.
Service Control Policies (SCP) to control which AWS services can be used on each member account. Do you need to limit service availability per account, or to comply with some internal security policy or external regulation like HIPAA or PCI DSS? Now you can proactively enforce these controls: SCPs are similar to IAM policies but they apply to all principals in the affected accounts, including the root user, effectively whitelisting and blacklisting AWS services from being used at all in those accounts.
Some services can be used across accounts on the organisation for improved governance and monitoring, e.g. AWS CloudTrail to get a consolidated trail, AWS Config for centralised compliance monitoring, or AWS Service Catalog to centralise management and approval of catalogs of IT services available for deployment on the member accounts.
On top of that, AWS Organizations is just another AWS service, meaning all these features are available through the API and SDKs... so all this extra governance layer can be automated!
To summarise, AWS Organizations help us to manage and even automate all the configuration, billing, governance, security and compliance concerns when dealing with a multi-account setup.
nubeGO are a specialist Cloud and DevOps consultancy, advising and implementing best practices and strategies. With an experienced team, we ensure that the right tools are implemented for the job. As we continue to evolve, we continue to refine our recommendations.
nubeGO offer a powerful set of tools through our range of partnerships in the capacity of being both a reseller and a consultancy. We transform projects delivered through cloud computing by helping clients adopt DevOps practices in collaborative environments.
nubeGO has a presence in the UK, Spain, Argentina and Panama, which puts us in a great position to work with clients in several parts of the world. We provide a consistent approach to evaluating systems against the qualities you expect from modern cloud-based systems, and remediation that would be required to achieve those qualities.
Collaborate with nubeGO to take your Cloud Journey to the next level and get up to 10% of your AWS bill on AWS credits to spend on your infrastructure!
If you are looking to start with AWS, we offer 10% in AWS Credits for your proof of concept or migration. Click here and read more about it