Why level up to AWS Organizations and Why not stick to AWS Account

0

What is the advantage of AWS organization management over the account management ? Why take the leap****

Every Company has users and resources they interact with. End of the day - management of these users and resources (allowing the intended and blocking the un-intended usage) is the purpose of our job. Answer is to use an account level strategy or organizational level strategy.

In AWS , few years back , focus was on securing an account and VPCs did the separation for production, development and testing stages. [Please understand Separate VPC is as good as a separate datacenter ]. Now idea is promoted that practically each developer or team will have an account and the department will work as an OU and Enterprise will run as a AWS organization - handling this multi account strategy. So along comes SCPs (at the end of the day they are DENY rules). Control Tower and Landing Zone. But the same things can be run on account level.

*Are we Securing the blast radius by limiting to an account ? incase of an account compromise ? *I do not agree as firstly when your running a multi-account system similar cross account access are also in place which needs to be secure along with the basic level account security management. Also top-managing account in organization can be compromised . In fact the attack surface largely increasing onto an other level. Causes difficulties to visibility and monitoring - ( Guard Duty can be enabled for multi accounts and Cloud Trails Aggregator can be used )- but it is getting complicated.

Secondly, anyways one has to keep the account secure also. Clear demarcation is possible and good environment can be provided with VPC , Conditional statements , tagging. In case of merger there can be cross account access enabled with external ID.

**I am not here to challenge but I want to gain an understanding in why the shift was undertaken. Also any resources in this regard will be great help. Even a comment might help. ****** **

2 Answers
2

As you mentioned, limiting the security scope (blast radius as you call it) is a driving factor for many customers to use multiple accounts. Customers commonly separate production, sandbox, staging etc. into separate accounts. Large organizations often separate business units into separate accounts too for billing and security. Access management is simplified in a multi-account scenario as you only allow access by need instead of having to be extremely diligent about policy rights to various resources in a single account. Also, some regulatory requirements mandate separate accounts for production and development. There are also account quotas that larger customers would bump up against if using a single account.

AWS
answered 2 months ago
profile picture
AWS
EXPERT
reviewed 2 months ago
  • "Also, some regulatory requirements mandate separate accounts for production and development." what ??? " There are also account quotas that larger customers would bump up against if using a single account" ?? Like What - may be more specified

1

AWS Organization allows customers to consolidate billing for multiple AWS accounts and optionally manage those accounts centrally. There are many tasks that customers has to perform to ensure the baseline e.g. security guardrail, is implemented correctly. Many customers are asking for AWS guidance to help them ensure their AWS environments meet those requirements. The AWS Well-Architected Management and Governance Cloud Environment Guide (M&G Guide) provides clear guidance for customer to follow. Beyond AWS Organization, M&G Guide it introduce AWS Control Tower to provision a landing zone embedded with controls. You may want to look at the guide at: https://docs.aws.amazon.com/wellarchitected/latest/management-and-governance-guide/management-and-governance-cloud-environment-guide.html

AWS
answered 2 months ago
profile picture
AWS
EXPERT
Tasio
reviewed 2 months ago
  • Question is not why or How to use AWS Organization ? But why at all to have multi-accounts in first place, if required functions can be achieved in a single account itself

  • For example, if a large company was using a single account and they had many Lambda functions they could easily run into the maximum number of concurrent Lambda executions. Splitting that across multiple accounts allows for a higher aggregate limit.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions