Pages

AWS Landscape 1: AWS Organization

Modern enterprises running workloads on AWS benefit greatly from a multi-account strategy. Using multiple accounts improves security, simplifies management, and allows precise cost tracking. AWS Organizations provides a centralized framework to manage multiple accounts, enforce governance using Service Control Policies (SCPs), and consolidate billing.

A well-structured AWS Organization ensures:
  • Clear separation between production, security, and non-production environments.
  • Centralized governance for auditing, compliance, and security.
  • Scalability to support growth and automated account provisioning.
  • Simplified cross-account operations for shared services and management.
This structure enables organizations to follow AWS best practices while keeping development and testing environments flexible.

Objective:
Define a robust AWS Organization structure that:
  • Provides centralized management of AWS accounts.
  • Enforces governance and security policies consistently.
  • Enables consolidated billing and cost visibility.
  • Supports scalable growth and automated account provisioning.
We recommend a hierarchical AWS Organization structure using Organizational Units (OUs) to separate workloads by environment and 

Root OU (Master Payer Account only)
├── Production OU
│   └── Production Account (e.g., prd-web-001)
├── Security OU
│   ├── Security Account
│   ├── Logging Account
│   ├── Shared Services Account
│   └── Network Services Account
└── Non-Production OU
    ├── Development Account (e.g., dev-app-001)
    ├── QA Account
    ├── Pre-Prod Account
    └── Sandbox Account

OU Purpose:
  • Root OU – Holds only the Master Payer Account (MPA).
  • Production OU – Hosts production workloads.
  • Security OU – Manages security, logging, and audit accounts.
  • Non-Production OU – Development, QA, Pre-Prod, and Sandbox environments.
Benefits of this OU structure:
  • Clear separation of environments for governance and billing.
  • Easier application of SCPs at the OU level.
  • Supports future account growth and automation.
  • Improves operational visibility and compliance.
Technical Implementation Steps:

Step 1: Create AWS Organization
Log in to AWS Console
URL: https://aws.amazon.com/console/
Use the Master Payer Account (MPA) credentials.

Open AWS Organizations
Search Organizations in the console.
Click AWS Organizations.

Create Organization
Click Create organization.
Select Enable all features (required for SCPs and full governance).
Review warnings and click Create organization.

Verify Creation
Ensure your MPA is shown as the master account.
You can now invite existing accounts or create new accounts.

Step 2: Create Organizational Units (OUs)
In AWS Organizations → Organize accounts.
Click Add an organizational unit and create:
Production (under Root)
Security (under Root)
Non-Production (under Root)

Step 3: Create AWS Accounts under OUs
Use the MPA to create accounts via AWS Organizations console or CLI. Example accounts:

OU         Accounts                                         Naming Example
Production Production Account                                 prd-web-001
Security Security, Logging, Shared Services, Network Services sec-log-001, shared-svcs-001
Non-Production Development, QA, Pre-Prod, Sandbox                 dev-app-001, qa-db-001

Notes:
Master Payer Account stays at Root.
Use consistent naming conventions for clarity, e.g., prd-web-001, dev-app-002.

Step 4: Apply Service Control Policies (SCPs)
Attach policies at OU or account level via AWS Organizations → Policies.
OU         SCP Guidance
Production Strict: Allow only essential services (e.g., deny public S3 buckets).
Non-Production Flexible: Permit dev tools (e.g., allow EC2 spot instances).
Security Restricted: Security services only (e.g., deny non-security actions).

Best Practices for SCPs
Test in Sandbox first.
Layer with IAM policies for fine-grained control.
Use AWS-managed policies as starters (e.g., "RestrictEC2InstanceTypes").

Central Services in Security OU
AWS CloudTrail: Organization-wide logging.
AWS Config: Resource compliance monitoring.
AWS Security Hub: Central security dashboard.
AWS GuardDuty: Threat detection.

Key Advantages
Security: Strong isolation; centralized monitoring.
Governance: OU-level SCP guardrails.
Scalability: Add accounts easily; automate with AWS Control Tower.
Cost Management: Consolidated billing with tags for environment tracking.

Architecture Diagram Overview
Security OU Central Services

• AWS CloudTrail  → Organization-wide logging
• AWS Config      → Resource compliance monitoring
• AWS Security Hub → Central security dashboard
• AWS GuardDuty   → Threat detection
by

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)