Best practices to organize my company's first AWS account

0

Hi everyone,

I convinced my company to start using AWS for different projects that we have. I am a data scientist, certified AWS cloud practitioner, but still struggle to find the correct approach to organize our future accounts/ressources in the best way following AWS best practices.

I have read about the root user account, the IAM users, roles and groups, organisational units, etc... but there seems to be 1000 ways of doing the same thing.

Here are a few details to guide your answer:

  • We would be 3 employees working on AWS
  • We would have 2 applications deployed, an internal label-studio annotating tool deployed on an EC2 for internal tasks, and a grafana dashboarding + influxdb + aws iot solution that will be deployed for external clients
  • the second solution would probably need to have dev and prod replicas I guess
  • some of these employees may need to work on both of these solutions

My questions:

  • Should I create an AWS account (not IAM user but account so 1 root) per solution ?
  • If so, should they be grouped in an Organizational Unit?
  • Otherwise, should I create an IAM user per employee within one single AWS account ?
  • How would IAM Roles and Groups could be employed in this situation ? Should groups be created by jobs for these employees (one group for the 2 data scientists for example)?

How would you do it?

Many thanks in advance for your help.

Cheers

Antoine

4 Answers
2

All the answers in the post are correct. One to add is that I apprecaite you have the CP certification, however with highly experienced and certified people like my self, an answer here wouldnt be enough to point you in the right direction as there is so much to think about.

I would recommend you engage with an Architect like myself to help you discuss and design from the ground up.

profile picture
EXPERT
answered a month ago
  • Agreed, you may need some architecture guidance. AWS Professional Services has an offering called Landing Zone Accelerator that provides assistance designing a new AWS environment. Many certified AWS partners offer similar services. https://aws.amazon.com/contact-us/sales-support-partners/ can help you identify a certified partner to help.

  • Thanks for taking the time to reply Gary! I am training to get the Solutions Architect Associate certification at the moment but they don't show many use cases so it's difficult to figure out how to piece up all these blocks. Adeleke's answer below seems to be matching best practices.

2

Hi,

The canonical way of organizing your account for the future is to read this wp about AWS Organizations (1 of the best AWS wp for me...): https://docs.aws.amazon.com/pdfs/whitepapers/latest/organizing-your-aws-environment/organizing-your-aws-environment.pdf

If you follow this guidance, you'll be future-proof for any scaling coming up in your company.

Best,

Didier

profile pictureAWS
EXPERT
answered a month ago
profile picture
EXPERT
reviewed a month ago
  • Thank you for taking the time to reply! I will make sure to go through this paper at the earliest occasion. Cheers

1
Accepted Answer

Based on your company's situation and AWS best practices, here's a recommended approach to organize your AWS resources:

  1. Create a single AWS account to start with, which will serve as your management account. This account will be the root of your organization.

  2. Use AWS Organizations to create and manage multiple accounts. This allows for better security, cost management, and resource isolation.

  3. Create separate AWS accounts for each environment (development, production) and for each distinct application or solution. In your case:

    • One account for the internal label-studio annotating tool
    • One account for the Grafana/InfluxDB/AWS IoT solution (development)
    • One account for the Grafana/InfluxDB/AWS IoT solution (production)
  4. Group these accounts into Organizational Units (OUs) based on their purpose. For example:

    • Internal Tools OU: Contains the label-studio account
    • Client Solutions OU: Contains both dev and prod accounts for the Grafana solution
  5. Within each account, create IAM users for each employee who needs access. Avoid using the root user for day-to-day operations.

  6. Implement IAM groups based on job functions or roles, such as:

    • DataScientists
    • Developers
    • Administrators
  7. Create IAM roles with appropriate permissions for each group. Assign users to groups, and then assign the corresponding roles to those groups.

  8. Use IAM policies to define fine-grained permissions for each role, following the principle of least privilege.

  9. Implement cross-account access using IAM roles. This allows employees to access resources in different accounts without needing separate credentials for each account.

  10. Use AWS Single Sign-On (SSO) to manage access across all your AWS accounts, making it easier for employees to switch between accounts as needed.

This approach provides a scalable and secure foundation for your AWS environment. It allows for proper isolation between applications and environments while still enabling collaboration among team members. As your company grows and adds more projects or employees, you can easily expand this structure by creating new accounts, OUs, or IAM entities as needed.

Remember to implement other best practices such as enabling multi-factor authentication (MFA) for all users, using strong password policies, and regularly reviewing and auditing access permissions.

Sources
7 Tips to Maximize Your New AWS Account for Small to Medium Businesses | AWS Cloud Operations Blog
Managing an organization with AWS Organizations - AWS Organizations
Organizing Your AWS Environment Using Multiple Accounts - Organizing Your AWS Environment Using Multiple Accounts
Community | AWS Cloud Account Fundamentals: Five Essential Best Practices for Managing Cloud Cost

profile picture
answered a month ago
profile picture
EXPERT
reviewed a month ago
  • Thank you so much for taking the time to write such a clear and detailed answer! It confirms what I had read here and there, but puts it in a more concise and step-by-step format.

1

AWS Security Reference Architecture : https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/welcome.html

Please consider segmentation between non-production and production workloads as well as between applications. While the ultimate best practice is to use separate AWS accounts since an AWS account provides resource boundaries, using separate subnets, IAM Roles/Users and resource tagging can be employed within a single account in order to create separation of duties and make it easier to audit. Tagging resources also lets you do detailed cost reporting.

profile pictureAWS
answered a month ago
profile picture
EXPERT
reviewed a month ago
  • Thanks for taking the time to reply Secur3Kat! I will read this article and take your advice into account. Cheers

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions