AWS Cloud Operations Blog

Multi-account strategy for small and medium businesses

Why invest in a multi-account cloud foundation?

Small and Medium Businesses (SMB) usually start with a single account when setting up their Amazon Web Services (AWS) environment. They typically want to get going quickly and maintain agility. Starting small and focusing on business needs, seems to make the most sense. However, even as a small or medium business, AWS recommends using a multi-account foundation. In fact, a multi-account foundation can be just as straightforward to set up, and comes with some additional benefits such as:

  1. You can isolate your workloads to reduce the impact of faults and security events, by securing access with AWS IAM Identity Center.
  2. You can promote innovation by providing different environments such as sandbox, development, and production.
  3. You can manage your Service Quotas more efficiently by managing them individually for each of your workloads without competing for resources.
  4. When your workloads are isolated, it makes it easier to identify what resources are being used by each workload, so you can identify cost-saving opportunities much faster.

Adopting a multi-account strategy for your foundation enables you to scale with an infrastructure that can support your business growth. It can also meet your security and compliance needs, and recover quickly when issues arise. Following these best practices, you can build an optimally structured cloud foundation. This will permit governance and access management of resources on a needs basis, without compromising agility or cost.

The basis of a Well-Architected multi-account AWS environment is AWS Organizations, an AWS service that enables you to centrally manage and govern multiple accounts. In this blog post, we will make recommendations for a multi-account structure with specific examples. You can then identify and categorize infrastructure assets and improve your security posture. Let’s get started!

Best practices for setting up your multi-account AWS environment

AWS Organizations allows you to centrally govern your environment as you grow and scale your workloads on AWS. To learn more about core concepts of AWS Organizations, you can review Organizing Your AWS Environment Using Multiple Accounts. The blog post Best Practices for Organizational Units with AWS Organizations explains why building a multi-account environment is advantageous, and has details and best practices for setting it up.

In this post, we will look at five primary steps in building a secure, compliant, and cost-efficient multi-account cloud foundation.

1. Establish the account as an operational unit (OU) in a multi account environment

As you begin building your environment on AWS, we recommend that you determine how your business, governance, security, and operational requirements can be met with AWS. The use of multiple AWS accounts plays an important role in how you meet those requirements. Since workloads often have distinct security profiles that require separate control policies and mechanisms to support them, AWS accounts allow you to apply distinct restrictions and policies for each group of accounts. When using multiple accounts for example, resources and data that make up one workload environment can be separated from others.

In the multi-account strategy whitepaper, AWS defines an account as an isolation boundary that contains cloud resources and data.

A multi-account environment uses individual AWS accounts as operational units. Each account is used for a specific operation or activity, like hosting workloads, security tools, or operational dashboards.

Figure 1. Starter recommended accounts for your organization

As shown in Figure 1, you may start an environment with:

  • One account for hosting network components, like an internet gateway and a NAT gateway
  • One for hosting workloads
  • One for creating and storing secure Amazon EC2 images (AMIs)
  • One for operations and management

Using multiple accounts allows you to separate your permissions across accounts following the principle of least privilege with your identities. Ensuring the right permissions are granted to access your environment and resources is recommended to meet some of the requirements for industry compliance frameworks, such as the PCI DSS, ISO 27001, and others.

Using multiple accounts allows you to simplify policy management for your users and isolate resources by workloads and account. This enables you to manage account-level access, as opposed to fine-grained access policies. You can easily expand your AWS architecture by adding accounts to the AWS Organization as needed. As a result, you will now be able to enable account-level tracking of spend. You can also analyze overall budget spend and optimize as needed.

2. Centralize security view, response, and remediation

As the next step, we recommend customers set up dedicated accounts for security and operations. This will give you a centralized security view for response and remediation. This best practice recommends creating two additional accounts, as shown in Figure 2.

Figure 2. Foundational AWS accounts

  • A Log Archive account. The log archive is an account that acts as a consolidation point for log data that is gathered from all the accounts in the organization. It is primarily used by your security, operations, audit, and compliance teams. This account contains a centralized storage location for copies of every account’s audit, configuration compliance, and operational logs. Read the Log Storage capability guidance for details of what goes into this account and how to implement it.
  • A Security Tooling account. This account is where you will centralize all of the security data from across the environment. Common examples of tools and services configured in this account include Amazon GuardDuty, AWS Security Hub, Amazon Detective, and third-party cloud security monitoring services and tools. These tools will be set up with delegated administration so that data and security events from all accounts are centralized in the security account. Since the account provides an environment-wide security view access, it should be restricted to authorized security and compliance personnel only.

With these two additional accounts, you can gain an environment-wide view of security, thus enabling you to prioritize and act on security events and issues from a central console.

3. Simplify access using identity federation

With structure, security, and controls in place, you now must confirm that operators and developers have access to their respective environments. Think through the following questions to set up a uniform access mechanism across your entire AWS environment.

  • How do I provide easy access to all accounts?
  • How do we grant the correct users access to the correct account with the correct permissions?
  • How do I manage a user’s lifecycle?

Instead of accessing each account with a separate set of credentials, you can use identity federation to set up a centralized login mechanism. In this way, you have access to all the accounts in your environment, while following the principle of least privilege. This can be done using a single interface for creating or deleting users or groups, and granting or revoking permissions. These permissions can be used to access other applications, thus serving as a single sign-on (SSO) identity provider. This allows users to be added or removed from applications with a few clicks.

Figure 3. Using identity federation for permitting access

As depicted in Figure 3, AWS IAM Identity Center enables you to access all the accounts in an AWS Organization and centralized user management. You can extend identity federation to allow access to not only AWS accounts, but also other applications such as Jenkins, JIRA, Slack, and Zoom.

Check out the Identity Management and Access Control capability implementation guidance in Cloud Foundations solutions to learn how to set up AWS IAM Identity Center.

4. Enhance security and governance posture by classifying environments

To further enhance the security of your workloads and data, we recommend you separate your workloads based on the type of environment and software development lifecycle. With AWS Organizations, you can create Organizational Units (OU) to group AWS accounts that have a similar purpose or security posture. You can centrally apply organizational policies to groups of accounts.

We recommend starting small by creating a Security OU for all security related workloads and tools. An Infrastructure OU can group your shared services across your organization, such as networking, identity resources, and operations workloads and tools. You can use multiple workloads OUs for individual workload environments. Thus, for workloads, you may have an OU and account to host production and pre-production workloads, a test OU and account to host acceptance testing, and so on. This layout is depicted in Figure 4.

Figure 4. Recommended starter AWS Organization Units

Following the best practices included in the multi-account strategy whitepaper, we recommend you start small. Your foundational accounts can include your infrastructure services, security services, and your workloads.

To attach metadata to your cloud resources, use tags to enhance your security and governance posture, and help you optimize spend by aiding in tracking cost and usage of your resources. Refer to Tagging AWS resources to learn how to attach tags to your cloud resources. Developing a tagging strategy is key to successfully scale in your environment. Learn more about how to establish a tagging strategy in the implementation guidance for the tagging capability.

Organizing environments and grouping accounts creates an environmental separation that enables protection against misconfiguration, by using policy-based permission control. It also results in tighter access control to the production environment, following the principal of least privilege.

5. Implement permission controls to improve security and reduce cost

With these recommendations, you should be able to create a secure, structured, and readable environment. The next step is to implement a mechanism for controls that cannot be overridden by misconfiguration or deliberative role overprovisioning within individual accounts. This can be achieved using policy-based permission control. In AWS Organizations, Service Control Policies (SCPs) offer central control over the maximum available permissions for all the accounts in an organization. SCPs help customers ensure the accounts stay within their organization’s access control boundaries. For example, you may create an SCP that disallows access to all Regions but your own. This will ensure that resources are not provisioned in any other Region.

This will improve your security posture by reducing the threat surface to specific Regions and services. You’ll have protection against misconfigurations and also reduce cost by tightly controlling resource provisioning.

Review Best Practices for AWS Organizations Service Control Policies in a Multi-Account Environment to learn more about SCPs. Identity Management and Access Control and Workload Isolation Boundary are useful resources to learn more about the capabilities in the cloud foundations solutions.

Conclusion

Each organization’s requirements to build a cloud environment are different; organizing workloads following best practices can make it easier for you to manage and operate your environment. These best practices can help SMB customers drive the conversation and decisions across relevant stakeholders. At the same time, they help you plan for a solid cloud foundation, build a multi-account environment on AWS, and achieve your desired target state for your cloud environment quicker.

Having a strong cloud foundation will help you to efficiently manage and operate your cloud with agility, and unlock rapid innovation. With the right foundation in place, you can deliver features that matter to your customers more often without having to focus on the undifferentiated heavy lifting of your environment. If you’re interested in taking the next step and setting up your multi-account environment, read Getting Started guides. Check out how to establish your initial foundation with AWS Control Tower, a managed service that can help you set up your initial multi-account environment on AWS.

To learn more about the other capabilities you may need as your cloud environment matures, review the Establishing your cloud foundation on AWS whitepaper. Read implementation guidance and tailored AWS-built solutions to help you establish these capabilities in your environment, in the Cloud Foundations Solutions Library.

About the authors:

Alex Torres

Alex Torres is a Specialist Senior Solutions Architect in the Cloud Foundations team. Alex is passionate about helping customers to navigate through the decisions needed to establish their cloud foundation on AWS and help them solve their business challenges through solutions tailored to their business needs. Besides his passion for technology, Alex enjoys hiking, pineapple on pizza, and spending time with his dogs.

Siddhesh Jog

Siddhesh has over 17 years of experience in delivering business value through technology in the Banking and Logistics industries. He has architected and operated cloud environments for enterprise as well as startups. He is excited to help customers achieve their goals.