Why level up to AWS Organizations and Why not stick to AWS Account

Question

**What is the advantage of AWS organization management over the account management ?  Why take the leap******

Every Company has users and resources they interact with. End of the day -  management of these users and resources (allowing the intended and blocking the un-intended usage) is the purpose of our job. Answer is to use an account level strategy or organizational level strategy.

In AWS , few years back , focus was on securing an account and VPCs did the separation for production, development and testing stages. [Please understand Separate VPC is as good as a separate datacenter ]. Now idea is promoted that practically each developer or team will have an account and  the department will work as an OU and Enterprise will run as a AWS organization - handling this multi account strategy. So along comes SCPs 
(at the end of the day they are DENY rules). Control Tower and Landing Zone. But the same things can be run on account level.

*Are we Securing the blast radius by limiting to an account ? incase of an account compromise ?  **I do not agree as firstly* when your running a multi-account system similar cross account access are also in place which needs to be secure along with the basic level account security management. Also top-managing account in organization can be compromised . In fact the attack surface largely increasing onto an other level. Causes difficulties to visibility and monitoring - ( Guard Duty can be enabled for multi accounts and Cloud Trails Aggregator can be used )- but it is getting complicated.

Secondly, anyways one has to keep the account secure also. Clear demarcation is  possible and good environment can be provided with VPC , Conditional statements , tagging. In case of merger there can be cross account access enabled with external ID.

**I am not here to challenge but I want to gain an understanding in why the shift was undertaken. Also any resources in this regard will be great help. Even a comment might help. ******  **

Answer

As you mentioned, limiting the security scope (blast radius as you call it) is a driving factor for many customers to use multiple accounts. Customers commonly separate production, sandbox, staging etc. into separate accounts. Large organizations often separate business units into separate accounts too for billing and security. Access management is simplified in a multi-account scenario as you only allow access by need instead of having to be extremely diligent about policy rights to various resources in a single account. Also, some regulatory requirements mandate separate accounts for production and development. There are also account quotas that larger customers would bump up against if using a single account.

Answer

AWS Organization allows customers to consolidate billing for multiple AWS accounts and optionally manage those accounts centrally. There are many tasks that customers has to perform to ensure the baseline e.g. security guardrail, is implemented correctly. Many customers are asking for AWS guidance to help them ensure their AWS environments meet those requirements. The AWS Well-Architected Management and Governance Cloud Environment Guide (M&G Guide) provides clear guidance for customer to follow. Beyond AWS Organization, M&G Guide it introduce AWS Control Tower to provision a landing zone embedded with controls. 
You may want to look at the guide at: https://docs.aws.amazon.com/wellarchitected/latest/management-and-governance-guide/management-and-governance-cloud-environment-guide.html

Why level up to AWS Organizations and Why not stick to AWS Account

関連するコンテンツ