Latest Posts

Multi-account governance with AWS Organizations

Posted on by Zubair Shaik

Loading

Multi-Account Governance with AWS Organizations

Introduction

Managing a multi-account architecture in the cloud is a critical challenge for many organizations. As businesses scale, the need to implement governance across multiple accounts becomes more complex. AWS Organizations provides an effective way to manage and govern AWS resources across multiple accounts, offering features like centralized billing, policy enforcement, and simplified management.

This article will explain in detail how to set up and manage governance in a multi-account AWS environment using AWS Organizations. We will cover key aspects such as organizational units (OUs), service control policies (SCPs), consolidated billing, account management, and security best practices.

1. What is AWS Organizations?

AWS Organizations is a service that allows you to create and manage multiple AWS accounts within your organization. It provides centralized billing, governance, and access control for managing these accounts in a scalable and secure manner.

With AWS Organizations, you can:

  • Create accounts programmatically or manually.
  • Group accounts into organizational units (OUs) based on your needs.
  • Apply policies across multiple accounts to enforce security, compliance, and other operational controls.
  • Consolidate billing for all accounts within the organization.

The key benefits of using AWS Organizations include:

  • Simplified account management: Group related accounts for easier management.
  • Centralized billing: Combine costs for all accounts into a single bill.
  • Policy enforcement: Use service control policies (SCPs) to set permission guardrails.
  • Security and compliance: Ensure best practices and security standards across all accounts.

2. Getting Started with AWS Organizations

Before diving into multi-account governance, let’s first set up AWS Organizations and understand its core components.

Step 1: Set Up AWS Organizations

  1. Sign in to AWS: Use the AWS Management Console to sign in to your AWS account.
  2. Create an Organization:
    • Navigate to the AWS Organizations console.
    • Click on “Create Organization” to create a new organization.
    • This will create a management account (previously called the master account) that controls the organization’s settings.

Step 2: Create Accounts within the Organization

You can create additional accounts from within the AWS Organizations console, or you can invite existing AWS accounts to join your organization.

  1. To create new accounts:
    • Navigate to the AWS Organizations console.
    • Click on “Accounts” and then “Add account”.
    • Fill out the required information such as the account name and email address.
    • You can also choose whether to create the account in a specific organizational unit (OU).
  2. To invite existing accounts:
    • Click on “Invite account”.
    • Provide the email address associated with the account you want to invite.
    • The invited account will need to accept the invitation before it becomes part of your organization.

Step 3: Organize Accounts into OUs

Organizational Units (OUs) are containers that help logically group AWS accounts within your organization. You can group accounts based on business units, projects, or environments (e.g., development, staging, production).

  1. Create an OU:
    • Go to the AWS Organizations console.
    • Click on “Organizational units” and then “Create organizational unit”.
    • Give the OU a name and assign AWS accounts to this OU.
    • OUs can be nested within other OUs, allowing you to create a hierarchical structure.

3. Centralized Billing and Cost Management

One of the key features of AWS Organizations is consolidated billing, which allows you to combine the billing for all accounts into a single monthly invoice. This is beneficial because it helps you gain volume discounts and manage costs more effectively.

Step 1: Enable Consolidated Billing

When you create an AWS Organization, consolidated billing is automatically enabled, and the management account will be responsible for paying the bill. All accounts under the organization will be considered as linked accounts.

Step 2: Review Cost and Usage Reports

AWS provides a variety of tools to track and manage costs across multiple accounts:

  • AWS Cost Explorer: Use this tool to analyze costs and usage for your organization.
  • AWS Budgets: Set budgets for your organization or specific accounts to track spending.
  • Cost and Usage Reports (CUR): Get detailed, customizable reports for your usage across all accounts.

Step 3: Set Up Cost Allocation Tags

You can tag resources within your AWS environment to allocate costs to specific departments, projects, or environments. Once enabled, these tags are used to generate detailed billing reports.

4. Implementing Governance with Service Control Policies (SCPs)

Service Control Policies (SCPs) are one of the most powerful governance features in AWS Organizations. They allow you to define permission guardrails across multiple accounts, ensuring that users and resources within those accounts can only access services and actions that are explicitly allowed.

Step 1: Define SCPs

SCPs are JSON-based policies that control which AWS services and actions are allowed or denied within an account or OU. An SCP does not grant permissions; rather, it acts as a filter that restricts the actions that can be performed based on the permissions granted by the account’s IAM policies.

  • Policy Structure: SCPs have two key elements:
    • Allow: Specifies which services and actions are allowed.
    • Deny: Specifies which services and actions are explicitly denied.

Step 2: Attach SCPs to OUs and Accounts

  1. Create SCPs:
    • Go to the AWS Organizations console.
    • Select “Policies” and then click on “Create Policy”.
    • Write the SCP in JSON format.
  2. Attach SCPs:
    • Once the SCP is created, navigate to the “Organizational Units” section.
    • Attach the SCP to an OU, which will apply the policy to all accounts within that OU.

Step 3: Use SCPs for Security Best Practices

Here are some common use cases for SCPs:

  • Prevent users from launching specific EC2 instance types: Use SCPs to restrict the types of EC2 instances that can be launched in certain accounts.
  • Limit access to AWS services: If certain services should not be used in specific accounts, SCPs can be used to deny access to those services.
  • Enforce region restrictions: SCPs can be used to restrict the regions where resources can be deployed, ensuring compliance with regulatory requirements.

5. Implementing IAM Roles and Policies

While SCPs control access at the organizational level, IAM roles and policies govern access within individual accounts. You can use IAM roles to manage permissions for users and services across multiple accounts.

Step 1: Set Up Cross-Account Access with IAM Roles

  1. Create an IAM Role:
    • Navigate to the IAM console within an AWS account.
    • Click “Roles” and then “Create Role”.
    • Choose the “Another AWS account” option, and provide the account ID of the account you want to allow access to.
    • Attach the necessary permissions (e.g., S3 access).
  2. Assume the Role:
    • Users in the target account can assume the IAM role to gain the permissions defined in the role’s policies.
    • Use the sts:AssumeRole API to allow cross-account access.

Step 2: Create Permissions Boundaries

Permissions boundaries allow you to define the maximum permissions that a user or role can have. Even if a user or role has permissions granted through policies, they cannot exceed the permissions defined in the boundary.

  1. Create Permissions Boundary:
    • In the IAM console, create a permissions boundary using a policy that restricts certain actions or resources.
  2. Assign Permissions Boundary to Roles:
    • Assign the permissions boundary to IAM roles to limit the permissions granted to users assuming those roles.

6. Automation and Monitoring of Multi-Account Governance

To ensure continuous governance and compliance, you can automate and monitor your multi-account AWS environment using several AWS services.

Step 1: Use AWS CloudFormation for Infrastructure as Code

AWS CloudFormation allows you to automate the creation and management of resources across accounts. By defining your infrastructure as code, you can ensure that all accounts in your organization adhere to the same standards and configurations.

  • Cross-Account CloudFormation: Use AWS CloudFormation StackSets to deploy the same resources across multiple accounts and regions simultaneously.

Step 2: Use AWS CloudTrail and AWS Config

  • AWS CloudTrail: Enables logging of all API calls made in your AWS environment. Use CloudTrail across all accounts to maintain a centralized log of actions and detect any unauthorized activities.
  • AWS Config: Monitors and tracks resource configurations and compliance across accounts. Use AWS Config rules to enforce governance policies for your resources.

Step 3: Implement Automated Remediation with AWS Lambda

Use AWS Lambda to automatically remediate non-compliant resources or configurations. For example, you can trigger a Lambda function when a non-compliant resource is detected by AWS Config to automatically delete or reconfigure that resource.

7. Best Practices for Multi-Account Governance

To ensure your multi-account environment remains secure, efficient, and compliant, consider the following best practices:

Best Practice 1: Organize Accounts Using OUs

Structure your accounts logically using OUs based on your business units, departments, or workloads. This allows you to manage and apply policies at a granular level.

Best Practice 2: Limit Account Privileges with SCPs

Use Service Control Policies to enforce the principle of least privilege and prevent unnecessary access to AWS services.

Best Practice 3: Implement Strong Security Controls

  • Enable multi-factor authentication (MFA) for all accounts.
  • Use AWS IAM Access Analyzer to ensure that resource policies don’t provide unintended access.
  • Regularly review and rotate access keys and IAM roles.

Best Practice 4: Centralize Logging and Monitoring

Centralize logging and monitoring for all accounts using AWS services like CloudTrail, CloudWatch, and AWS Config to ensure security and compliance.

Best Practice 5: Use Automation

Automate account creation, policy enforcement, and remediation of non-compliant resources to reduce the manual workload and enforce consistent governance.

Conclusion

Managing governance across multiple AWS accounts can be challenging, but with AWS Organizations and the right combination of tools and best practices, you can ensure that your environment is secure, compliant, and cost-effective. By using features like Service Control Policies (SCPs), IAM roles, AWS Config, and CloudTrail, you can maintain control and visibility over your AWS resources, even as your organization scales.

By following the steps outlined in this guide, you can set up a robust multi-account governance framework that not only simplifies your account management but also ensures that your AWS environment follows security, compliance, and cost optimization best practices.

Leave a Reply

Your email address will not be published. Required fields are marked *