· engineering · 5 min read
Tame your Cloud with AWS Organizations
Absolutely essential for businesses of any size, AWS Organizations enhances and simplifies security, controls and observabilty for All AWS Users
Table of Contents
AWS Organizations is a significant yet often overlooked tool, the amount of companies not using it, struggling with unnecessary risk and complexity in their cloud setups, must be enormous!
Organizations enables the management of multiple AWS accounts from a single control plane, consolidating billing, centralizing metrics and logs, enhancing security, enforcing backup strategies, and fine-tuning access controls through Single Sign-On (SSO) while still being able to share data (and resources) between them.
Seperate your concerns both logically and financially across individual accounts, improve visiblity (and accountability) and reduce risk with AWS Organizations.
What are AWS Organizations?
AWS Organizations is a service enabling the management of multiple AWS accounts from a single root account.
These accounts can be further organised in a directory tree like structure, and different policies can be applied to different branches of the tree.
If you don’t currently use multiple AWS accounts, you might want to consider it, it can significantly simplify administrative tasks and enhance security.
How/why/when to use them
- How to use them Start by selecting an existing account or creating a new one to serve as your root account. Log in to this account, navigate to the Organizations section, and either invite your existing accounts or create new ones. Each account requires a unique email address, which can be managed by using email address prefixes with providers like Google (e.g., developer+account1@mygooglemail.com).
- When and why to use them Use them to seperate concerns. Create dedicated accounts for individual clients, departments, or projects, improving resource management and cost allocation. Use them to create Sandbox accounts, for experimentation and personal development, without the risk of unintended consequences. Isolate sensitive or critical applicaitons and data in dedicated accounts to minimize potential security breaches.
Costs and billing managment
- The cost There is none, Organizations is a free feature of AWS (of course, you still pay for any underlying AWS services you use).
- Consolidated Billing One of the great features is consolidated billing. The root account can handle all payments while still attributing costs to each individual account. This optional arrangement simplifies the financial administration of multiple accounts, offering a complete view of all cloud expenditure.
- Free Tier A lot of AWS services have free tiers, whether for ever or limited in duration. These free tiers are shared across all accounts of an organization.
- Free Credits These can be applied to a given account or across the organization.
The killer features
The following powerful features are available for free to all AWS Organizations; if you’re not already using them, I highly recommend it!
- Service Control Policies
Service Control Policies control what actions an account is able to perform.
Entirely prevent the deletion of production cloudWatch logs, prevent the use of specific regions, enforce MFA for all IAM users or enact any number of financial/security restrictions.
Multiple policies can be created and managed, and can not only be applied to accounts, but also be applied to Organizational Units (OUs) where they will effect all child accounts of that unit. - Stack Sets
Cloudformation Stacksets enable us to deploy a stack once, and have it replicated across multiple accounts (or OUs) and regions. Future updates can be orchastrated similarly - we even get to choose to apply these stacks to accounts entering (or leaving) the OU. This opens the door to a wide variety of policies and functionalities, for example, centrally managing an Identity provider, notifications on event occurances. - AWS IAM Identity Center
IAM Identity Center (previously known as AWS Single Sign On) simplifies access to your AWS accounts, allowing your users to sign in once, and access all of the accounts they are assigned to from a single list, using shortlived tokens. SSO considerably reduces the need for IAM users, and the risks associated with such long-lived access, and allows you to manage access and permissions for all users of your accounts from a single location. - Centralized logging and metrics
Using Cloudwatch and organizations, its possible to have all your logs, metrics and x-ray traces forward to a specific account. THe cloudwatch console in this account then enables users to bounce between accounts and regions, to have observability of all accounts, and even create things like cross-account dashboards. - Backup
AWS Backup works fantastically well with Organizations - allowing you to orchastrate, monitor and enforce backup plans across OUs from the root account, helping ensure that your data is safe.
Other notable features and uses
- Coming and going
Accounts can be created, invited, deleted or expelled in Organizations, giving us the ability to “handover” (or take on) accounts as well as easily crete and delete short lived accounts.
This can be used in practice, for example, to maintain all client assets in a seperate account which can be “handed off” to the client at the end of the business relationship, or to create resources in a temporary account, access to which can be given to external pen testers, without concern. - Organizational units
Mentioned above, Organizational units allow us to group accounts into a directory like structure - allowing us to strucutre our organization freely, and to apply specific access, policies and resources automatically depending on an accounts position in the organizaiton. - AWS Control Tower
For enterprises with complex multi-account environments, this (paid) service builds upon AWS Organizations, offering additional features for governance, automation, and centralized management. - AWS CloudTrail Captures an audit trail of all API calls made within all of your accounts. This central log in the root account, offers a view of activity across your entire organization. You can easily analyze and manage this log for various purposes, such as setting alerts for suspicious behavior or meeting specific compliance requirements.
Conclusion.
AWS Organizations is a valuable tool for teams and businesses of all sizes looking to simplify their cloud environment, enhance security, and optimize costs.
By leaning on its features, you can achieve a well-organized, secure, and scalable cloud infrastructure tailored to your specific needs.
I really would go as far as saying, if you’re not using it - why not?
About James Babington
A cloud architect and engineer with a wealth of experience across AWS, web development, and security, James enjoys writing about the technical challenges and solutions he's encountered, but most of all he loves it when a plan comes together and it all just works.
No comments yet. Be the first to comment!