More Related Content Similar to Applying AWS Organizations to Complex Account Structures - April 2017 AWS Online Tech Talks (20) More from Amazon Web Services (20) Applying AWS Organizations to Complex Account Structures - April 2017 AWS Online Tech Talks1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Anders Samuelsson, Principal Product Manager – AWS Organizations
April 27, 2017
AWS Organizations
Account management at enterprise scale
with Quint Van Deman, Arturo Hinojosa, and David Schonbrun
2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Agenda
• AWS accounts: an evolution
• Customer challenges at scale
• Product concepts and features
• User stories
• Best practices
• Q & A
3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS accounts: an evolution
4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Prod
In the beginning…
Dev-Test Sandbox• A developer creates an AWS account
• A network engineer helps create more
VPCs and establishes VPN access
• Controls are implemented via roles,
policies, tagging, security groups, etc.
5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Today – Cloud adoption at scale
Jump Account
Cloud team
US Dev
Account
US Prod
Account
Data Science
Account
Security
Account
Cross-account
resource access
Shared Service
Production
US Sandbox
Account
HIPAA-Prod
Account
Centralized policy
management
Accounts New controls
6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Customer challenges at scale
7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What do enterprise customers need
to scale their AWS accounts effectively?
Centrally manage
policies across accounts
View charges and usage
across accounts
Easily create new
accounts at scale
(for isolation
and grouping)
8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What challenges have customers faced as they
increased their number of AWS accounts?
Creating a new
account involves many
manual processes
IAM policy replication
across accounts
requires custom
automation
Billing consolidation
requires manual tasks
in multiple accounts
9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Introducing AWS Organizations
Control AWS service
use across accounts
Policy-based management for multiple AWS accounts.
Consolidate billing
and usage reporting
Automate
account creation
10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Product concepts and features
11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Key concepts
Root
Master
SS_Prod
SS_Dev
BU1_Prod
BU1_Test
BU1_Dev
BU2_Prod
BU2_Test
BU2_Dev
Organization
Root
Master account
Member accounts
Organizational unit
Service control policy
12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Sample enterprise reference architecture
Development
Sandbox
Root
Master
Prod-BC
Prod-NBC
Test
Country1
Data
S
h
a
r
e
d
HIPAA-Prod -
13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How does Organizations complement AWS IAM?
• Create AWS accounts
• Create organizational units (OUs—logical groups of accounts)
• Attach SCPs to OUs
• Create users, roles, and policies in an account
• Manage assignment of users to roles in an account
• Create cross-account trusts (delegation and federation)
• Manage cross-account access
14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Product demo
• Account creation inside an Organization
• Account invitation
• OU creation
• SCP creation
• SCP application to an OU
15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
User stories
16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
The compliance officer
As a compliance officer at a life sciences company, I can control
the AWS services available to AWS accounts with HIPAA data so
that guidelines based on the BAA are consistently applied.
1. One SCP is attached to multiple accounts.
2. Controls are consistently enforced.
3. Updates to an SCP are automatically applied in real time.
CreateOrganizationalUnit API
CreatePolicy, AttachPolicy, UpdatePolicy APIs
17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
The development team
As a development team, we quickly get access to dedicated AWS
accounts with the correct corporate controls so that resources are
isolated and product development timelines are maintained.
1. Scripted account creation.
2. Automatic account enrollment in consolidated billing.
3. Accounts added to an OU inherit the SCP attached to the OU.
CreateAccount API
MoveAccount API
18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
The IT operations manager
As an IT operations manager, I can create development, test, and
production OUs so that service API controls based on company IT
policies are consistently applied.
1. Accounts can be grouped into an OU.
2. It’s easier to manage a single policy attached to an OU.
CreateOrganizationalUnit API
CreatePolicy, AttachPolicy, UpdatePolicy APIs
19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Best practices – AWS Organizations
1. Monitor activity in the master account using AWS CloudTrail.
2. Do not manage resources in the master account.
3. Manage your organization using the principle of “least privilege.”
4. Use OUs to assign controls.
5. Test controls on a single AWS account first.
6. Only assign controls to the root of an organization if necessary.
7. Avoid mixing “whitelisting” and “blacklisting” SCPs in an organization.
8. Define and apply criteria for when a new account is necessary.
20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Pricing and availability
• Available at no additional charge.
• Global service.
• Accessed through the endpoint in the
US East (N. Virginia) region.
21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Q & A