Managing the multi-account environment using AWS Organizations and AWS Control Tower
This is the third post in our series about multi-account management. In the first post, Governance, risk, and compliance when establishing your cloud presence, we focus on design considerations for managing in a cloud environment. Our second post, Best Practices for Organizational Units with AWS Organizations, provides guidance for a production-ready organizational unit (OU) structure when creating your organization.
As customers build and deploy workloads, they often use multiple accounts to isolate their resources because they provide natural boundaries for security, access, and billing.
Here are some of the benefits:
- Rapid innovation with various requirements: Accounts can be allocated to teams, workloads, or products. Separate accounts can provide custom environments and accommodate the differing security needs for each team.
- Simplified billing: The use of multiple accounts simplifies how you allocate AWS costs. You can use them to identify which projects or services are responsible for AWS charges.
- Flexible security controls: You can create grouping mechanisms to ensure certain accounts meet compliance requirements, such as HIPAA or PCI DSS.
- Easily adapt to business processes: The use of multiple accounts allows you to set up your IT infrastructure in a way that reflects the needs of your business processes or requirements.
You might start by using a single AWS account, but as you scale across multiple accounts, AWS provides services and tools that can help you manage the cloud environment in an organization. An organization defines a group of AWS accounts, managed by a single management account.
In this post, we’ll discuss how customers can create a production-ready multi-account environment (sometimes referred to as a landing zone) in AWS. We discuss some of the AWS services to use when managing your multi-account environment. We also share implementation recommendations for permissions management, security, and account provisioning.
Services to assist you when building your multi-account environment
Here are the AWS services that you will use to build and administer your multi-account environment:
AWS Organizations provides you with the ability to centrally manage your environment across multiple accounts. You can create and organize accounts in an organization, consolidate costs, and apply policies for custom environments. When paired with other AWS services, you can secure your environment, create and share resources, and centrally manage permissions.
You can use the AWS Organizations console, SDK, or AWS CLI to create an organization, and then add accounts, enable features, and turn on service access to other AWS services so they can operate across your organization. There is no cost to use AWS Organizations. The cost of using other integrated services varies, but is similar to activating the services individually in separate accounts. When you use AWS Organizations, you have the flexibility to build your environment and adopt services step by step.
AWS Control Tower automates many of the steps required to build your environment. It gives you a prebuilt multi-account framework so you can get up and running with just a few clicks. Control Tower abstracts other AWS services to set up and govern the multi-account environment. For example, it creates new accounts automatically, gives you a predefined OU structure, and provisions resources in those accounts to assist you in managing your environment. It also applies managed guardrails, which are rules to govern the environment, using AWS Organizations, AWS Service Catalog, and AWS Config. In addition, you have visibility into your AWS environment from a single dashboard. There is no cost to use Control Tower, but there are costs associated with the AWS services (such as AWS Service Catalog, AWS CloudTrail, and AWS Config) used to manage your environment in Control Tower.
If you are considering building or migrating to a new multi-account environment, we recommend that you become familiar with these two services. AWS Control Tower automates and simplifies many of the provisioning steps for you using other AWS services, saving you time and effort by providing you with a cloud-ready model of governance. If Control Tower does not meet your requirements, you can use AWS Organizations to build your environment step by step, adopting features and services natively based on your implementation design. The services interoperate. Customers who use Control Tower can use AWS Organizations capabilities to activate services across accounts or to apply custom service control policies (SCPs). Similarly, customers who use AWS Organizations natively can extend Control Tower governance by inviting accounts or organizational units (OUs) into their Control Tower environment.
Now we’ll review implementation examples for three common elements in every multi-account cloud environment: permissions management, security, and provisioning new accounts.
Accounts provide a natural security boundary when it comes to separating workloads and services. An effective multi-account environment includes a permissions management strategy that provides access for those who need it and limits access to those who don’t.
AWS Single Sign-On (AWS SSO) is the simplest way to set up custom permissions to accounts in your organization created in AWS Organizations. AWS SSO is a cloud-based service that simplifies how you manage access to accounts and applications. After you create your organization, you can enable AWS SSO in the console when signed into the management account. You can then choose your identity source so that AWS SSO can recognize existing users and groups who need access. By default, AWS SSO gives you a cloud-native identity store that you can use to manage users and groups, but you can connect with an existing external identity source, such as Okta, Microsoft, and Azure Active Directory. After your identity store is connected, you can set up SSO access to accounts in your organization by creating user groups or assigning accounts to users.
AWS SSO provides access boundaries across accounts. However, most organizations likely have corporate guidance that dictates what users can do in the cloud environment. Typically, this guidance is enforced by review mechanisms that seek to limit potential errors or unexpected critical change to workloads. Because setting up correct guidelines programmatically is essential to ensuring that users can scale quickly, AWS provides SCPs.
SCPs allow you to provide highly customizable programmatic boundaries for service actions that can be taken in accounts. For example, if you are required to operate in a specific AWS Region only, you can set up an SCP to ensure resources are only deployed in your approved AWS Regions. To protect sensitive data from being shared externally, you can set S3 bucket policies to private, and then apply an SCP that prevents any changes to the bucket policy. You can assign policies individually to each account, at the OU level, which applies the policy to all accounts in an OU, or to the entire organization automatically.
When you create your Control Tower environment for the first time, the service enables and sets up AWS SSO in your organization for you. It also creates permission sets for AWS services to assist you in managing your environment, such as AWSServiceCatalogAdminFullAccess and AWSOrganizationsFullAccess. In addition, it creates user groups such as AWSSecurityAuditors and AWSLogArchiveViewers, which you can use to assign users based on their roles. It gives those users access to required accounts and resources for managing security and audits.
For managing actions in the cloud, Control Tower sets up guardrails, which are high-level rules that provide ongoing governance for your AWS environment. There are two types of guardrails:
- Preventative guardrails are SCPs that limit actions based on your policies.
- Detection guardrails are AWS Config detection rules paired with AWS Lambda that detect noncompliant resources and alert you through the Control Tower dashboard for remediation.
Some guardrails are applied automatically, but Control Tower also offers recommended guardrails that you can choose to apply to your environment.
Creating a multi-account environment provides many security benefits. Accounts act as containers with resources used for a common purpose. In the event of a security issue or misconfigured resource, the blast radius is reduced to a single account. AWS provides you with capabilities to ensure security standards can be managed and consistently enforced by a central team.
The first step is to create a security OU where you can create multiple security accounts to be used by your security team. For information about recommended security accounts and their purpose, see the Best Practices for Organizational Units with AWS Organizations blog post.
We recommend the Security Tooling account, which hosts applicable security and audit tools, including workloads, services, and supporting data. AWS offers a feature called Delegated Administration, which allows you to designate an account (such as this one) to manage the following AWS security and audit services on behalf of the entire organization.
- AWS Audit Manager automates the continuous collection of evidence to help you audit your use of cloud services.
- AWS Config detects and provides mitigation recommendations for incorrectly configured resources.
- Amazon GuardDuty detects unexpected and potentially unauthorized and malicious activity in your AWS environment.
- Amazon Macie continuously evaluates your content to identify business-critical or potentially confidential data.
- AWS Trusted Advisor identifies opportunities to improve stability, save money, or help close security gaps.
- IAM Access Analyzer helps you identify any resources or data in your AWS environment that are shared with external entities.
- AWS Security Hub provides you with security checks and recommendations across your organization.
After you set up your accounts and delegate services, your security team or users can centrally view and manage security events across your organization.
When you use AWS Control Tower to set up your organization, the service creates a security OU, enables AWS CloudTrail, and creates a LogArchive account that hosts the CloudTrail data. It also creates an Audit account for cross-account auditing and centralized security operations in Control Tower.
You can use Control Tower to create the other recommended security accounts.
To activate security services, you can access the management account of your organization to enable the services at the organizational level, and then delegate administration of AWS security services to your Audit account. For an example, see the Enabling Amazon GuardDuty in AWS Control Tower using Delegated Administrator blog post.
As you are putting a framework in place to scale your workloads, you’ll identify a pattern for creating new accounts based on your criteria. After you create accounts, you need to provision them with permissions, resources, and other configurations to ensure they are ready for use.
To simplify this process, AWS Organizations has native capabilities to create accounts. After you’ve created your organization, you can use the
CreateAccount API in the management account. This API creates an AWS account based on an email address you provide and associates the account and billing information with your organization. You can also invite existing AWS accounts to join your organization.
After you create or invite accounts, you can assign them to OUs based on their intended use.
OUs in your organization provide a structure to help you organize accounts based on policies needed. You can create OUs for specific purposes in your organization, such as an infrastructure OU to host infrastructure accounts, a security OU for security accounts, a sandbox OU for sandbox accounts to test AWS services and features, and a workloads OU to host your workloads. You can also create nested OUs in each OU to separate test and production accounts.
In addition to organizing your account structure, you can apply policies at the OU level. For example, you can create restrictive policies that prevent users from making certain changes in a production OU, but provide more lenient policies for test accounts in the development OU.
A common use case when creating accounts is to provision the new accounts with resources and permissions. These services are integrated with AWS Organizations and can help you get new accounts ready to use:
- AWS Resource Access Manager provides the features that let you make resources available across accounts, such as EC2 capacity reservations, AWS Outposts, Amazon VPC endpoints, and more. When you use AWS RAM to share resources, accounts in the organization can access those resources.
- AWS CloudFormation StackSets gives you the ability to create stacks that can be used across your organization, helping you to set up a new account with the right services, permissions, and tools. This simplifies configurations for cross-accounts permissions and allows for automatic creation and deletion of resources when accounts join or are removed from your organization. You can maintain multiple stacks, and make a single change to a stack to have changes easily applied across accounts.
When you start your organization using Control Tower, the service automatically creates two accounts in your organization. It uses CloudFormation StackSets to apply resources and permissions to these accounts.
For additional accounts, Control Tower provides you with an Account Factory that you can use to create accounts and provision them in your landing zone. Account Factory automatically applies resources and roles to the newly created accounts. For example, it uses the AWS Organizations CreateAccount API to create the account. It then uses CloudFormation StackSets to create resources that automatically apply a trail, IAM roles, CloudWatch logs, guardrails, and Lambda functions, which are used by Control Tower when you are managing your environment. To invite existing accounts into your landing zone, enroll them in Control Tower. You can give multiple users permissions to use Account Factory, which is shared with other AWS accounts using AWS Service Catalog.
In this blog post, we’ve discussed the benefits of managing AWS across multiple accounts. We’ve also introduced many governance services that can assist you when you manage multiple accounts and explained how these services work together to help you achieve your goal of managing a secure and scalable cloud environment. You can use native tools to build your environment from the ground up with AWS Organizations, which requires more upfront effort with full control over every aspect of your environment, or you can get up and running quickly with the automation features and simple UI in AWS Control Tower.
To implement multi-account best practices, use AWS services and familiarize yourself with how they are activated and managed in an organization environment. For cross-account access, use AWS SSO. For security, use features from AWS security services. For simplified account provisioning, pair automation features for resource sharing and permissions. Regardless of your implementation path, understanding the benefits and features of these services will assist you as you build and scale your AWS environment.