AWS Architecture Blog
Field Notes: Building a Shared Account Structure Using AWS Organizations
For customers considering the AWS Solution Provider Program, there are challenges to mitigate when building a shared account model with SI partners. AWS Organizations make it possible to build the right account structure to support a resale arrangement. In this engagement model, the end customer gets an AWS invoice from an AWS authorized partner instead of AWS directly.
Partners and customers who want to engage in this service resale arrangement need to build a new account structure. This process includes linking or transferring existing customer accounts to the partner master account. This is so that all the billing data from customer accounts is consolidated into the partner master account.
While linking or transferring existing customer accounts to the new master account, the partner must check the new master account structure. It should not compromise any customer security controls and continue to provide full control of linked accounts to the customer. The new account structure must fulfill the following requirements for both the AWS customer and partner:
- The customer maintains full access to the AWS organization and able to perform all critical security-related tasks except access to billing data.
- The Partner is able to control only billing information and not able to perform any other task in the root account (master payer account) without approval from the customer.
- In case of contract breach / termination, the customer is able to gain back full control of all accounts including the Master.
In this post, you will learn about how partners can create a master account with shared ownership. We also show how to link or transfer customer organization accounts to the new organization master account and set up policies that would provide appropriate access to both partner and customer.
Account Structure
The following architecture represents the account structure setup that can fulfill customer and partner requirements as a part of a service resale arrangement.
As illustrated in the preceding diagram, the following list includes the key architectural components:
As a part of resale arrangement, the customer’s existing AWS organization and related accounts are linked to the partner’s master payer account. The customer can continue to maintain their existing master root account, while all child accounts are linked to the master account (as shown in the list).
Customers may have valid concerns about linking/transferring accounts to the owned master payee account and may come up with many ‘what-if’ scenarios for example “What if the partner shuts down environment/servers?” or, “What if partner blocks access to child accounts?”.
This account structure provides the right controls to both customer and partner that would address customer concerns around the security of their accounts. This includes the following benefits:
- Starting with access to the root account, neither customer nor partner can access the root account without the other party’s involvement.
- The partner controls the id/password for the root account while the customer maintains the MFA token for the account. The customer also controls the phone number, security questions associated with the root account. That way, the partner cannot replace the MFA token on their own.
- The partner only has billing access and does not control any other parts of account including child accounts. Anytime the root account access is needed, both customer and partner team need to collaborate and access the root account.
- The customer or partner cannot assign new IAM roles to themselves, therefore protecting the initial account setup.
Security considerations in the shared account setup
The following table highlights both customer and partner responsibilities and access controls provided by the architecture in the previous section.
The following points highlight security recommendations to provide adequate access rights to both partner and customers.
- New master payer/ root account has a joint ownership between the Partner and the Customer.
- AWS account root users (user id/password) would be with Partner and MFA (multi-factor authentication) device with Customer.
- IAM (AWS Identity and Access Management) role to be created under the master payer with policies “FullOrganizationAccess”, “Amazon S3” (Amazon Simple Storage Service), “CloudTrail” (AWS CloudTrail), “CloudWatch”(Amazon CloudWatch) for the Customer.
- Security team to log in and manage security of the account. Additional permissions to be added to this role as needed in future. This role does not have ANY billing permissions.
- Only the partner has access to AWS billing and usage data.
- IAM role / user would be created under master payer with just billing permission for the Partner team to log in and download all invoices. This role does not have any other permissions except billing and usage reports.
- Any root login attempts to master payer triggers a notification to Customer’s SOC team and the Partner’s Customer account management team.
- The Partner’ email address is used to create an account so invoices can be emailed to the partner’s email. The Customer cannot see these invoices.
- The Customer phone number is used to create a master account and the customer maintains security questions/answers. This prevents replacement of MFA token by the Partner team without informing customer. The Customer wouldn’t need the Partner’s help or permission to login and manage any security.
- No aspect of the Master Payer / Root Partner team can login to the master payer/Root without the Customer providing an MFA token.
Setting up the shared master AWS account structure
Create a playbook for the account transfer activity based on the following tasks. For each task, identify the owner. Make sure that owners have the right permissions to perform the tasks.
Part I – Setting up new partner master account
- Create new Partner Master payee Account
- Update payment details section with the required details for payment in Partner Master payee Account
- Enable MFA in the Partner Master payee Account
- Update contact for security and operations in the Partner Master payee Account
- Update demographics -Address and contact details in Partner Master payee Account
- Create an IAM role for Customer Team in Partner Master Payee account. IAM role is created under master payer with “FullOrganizationAccess”, “Amazon S3”, “CloudTrail”, “CloudWatch” “CloudFormationFullAccess” for the Customer SOC team to login and manage security of the account. Additional permissions can be added to this role in future if needed.
Select the roles:
7. Create an IAM role/user for Partner billing role in the Partner Master Payee account.
Part II – Setting up customer master account
1. Create an IAM user in the customer’s master account. This user assumes role into the new master payer/root account.
2. Confirm that when the IAM user from the customer account assumes a role in the new master account, and that the user does not have Billing Access.
Part III – Creating an organization structure in partner account
- Create an Organization in the Partner Master Payee Account
- Create Multiple Organizational Units (OU) in the Partner Master Payee Account
3. Enable Service Control Policies from AWS Organization’s Policies menu.
5. Create/Copy Multiple in to Partner Master Payee Account from Customer root Account. Any service control policies from the customer root account should be manually copied to new partner account.
6. If customer root account has any special software installed for example, security, install same software in Partner Master Payee Account.
7. Set alerts in Partner Master Payee root account. Any login to the root account would send alerts to customer and partner teams.
8. It is recommended to keep a copy of all billing history invoices for all accounts to be transferred to partner organization. This could be achieved by either downloading CSV or printing all invoices and storing files in Amazon S3 for long term archival. Billing history and invoices are found by clicking Orders and Invoices on Billing & Cost Management Dashboard. After accounts are transferred to new organization, historic billing data will not be available for those accounts.
9. Remove all the Member Accounts from the current Customer Root Account/ Organization. This step is performed by customer account admin and required before account can be transferred to Partner Account organization.
10. Send an invite from the Partner Master Payee Account to the delinked Member Account
11. Member Accounts to accept the invite from the Partner Master Payee Account.
12. Move the Customer member account to the appropriate OU in the Partner Master Payee Account.
Setting the shared security model between partner and customer contact
While setting up the master account, three contacts need to be updated for notification.
- Billing – this is owned by the Partner
- Operations – this is owned by the Customer
- Security – this is owned by the Customer.
This will trigger a notification of any activity on the root account. The contact details contain Name, Title, Email Address and Phone number. It is recommended to use the Customer’s SOC team distribution email for security and operations, and a phone number that belongs to the organization, and not the individual.
Additionally, before any root account activity takes place, AWS Support will verify using the security challenge questionnaire. These questions and answers are owned by the Customer’s SOC team.
If a customer is not able to access the AWS account, alternate support options are available at Contact us by expanding the “I’m an AWS customer and I’m looking for billing or account support” menu. While contacting AWS Support, all the details that are listed on the account are needed, including full name, phone number, address, email address, and the last four digits of the credit card.
Clean Up
After recovering the account, the Customer should close any accounts that are not in use. It’s a good idea not to have open accounts in your name that could result in charges. For more information, review Closing an Account in the Billing and Cost Management User Guide.
The Shared master root account should be only used for selected activities referred to in the following document.
Conclusion
In this post, you learned how AWS Organizations features can be used to create a shared master account structure. This helps both customer and partner engage in a service resale business engagement. Using AWS Organizations and cross account access, this solution allows customers to control all key aspects of managing the AWS Organization (Security / Logging / Monitoring) and also allows partners to control any billing related data.
Additional Resources