Setting up a secure, scalable, and resilient multi-account AWS environment

Enterprises using AWS Control Tower frequently ask for advice on how to configure their AWS environment and accounts to achieve the best results. To assist them in making the best use of AWS resources, including your AWS Control Tower landing zone, AWS has developed a unified set of recommendations known as the multi-account strategy. AWS Control Tower acts as an orchestration layer that works with other AWS services to help implement the AWS multi-account recommendations for AWS accounts and AWS Organizations. After the landing zone is established, AWS Control Tower continues to help in maintaining the corporate policies and security practices across multiple accounts and workloads.

AWS provides natural security, access, and billing boundaries for AWS resources, as well as resource independence and isolation. By default, users outside of the account do not have access to these resources. While users can start with a single AWS account, AWS recommends multiple accounts as the workloads grow in size and complexity.

This recommendation comes in the light of benefits such as:

• Enterprises can assign AWS accounts to different teams, projects, or products within their organization
• Using multiple accounts makes it easier to allocate an organization’s AWS costs by determining which product or service line is responsible for an AWS charge
• Used to isolate workloads or applications that have specific security requirements or must adhere to strict compliance guidelines such as HIPAA or PCI
• Easily organize multiple AWS accounts to best reflect the diverse needs of their company’s business processes

Best practices for configuring your AWS multi-account environment

AWS best practices for a well-architected multi-account environment recommend that you should separate your resources and workloads into multiple AWS accounts.

The basis of a well-architected multi-account AWS environment is AWS Organizations, an AWS service that enables you to centrally manage and govern multiple accounts.

AWS Organizations provides the underlying infrastructure and capabilities to build and manage multi-account environments and above 90% of enterprise customers have multiple accounts and use Organizations, AWS Organization best practices helps you to have:

• Centrally provision accounts and resources
• Secure and audit your environment for compliance
• Share resources and control access to accounts, regions, and services
• Optimize costs and simplify billing
• Secure and audit environment for compliance (Tight security boundaries )

As a best practice for AWS mutli-account environment we recommend you get familiar with a few terms OU and SCP.

An organizational unit (OU) is a logical grouping of accounts in the organization that enterprises can create with AWS Organizations. OUs allow arranging of accounts into a hierarchy and easier application of management controls. The policies of AWS Organizations are what enterprises use to implement such controls.

Service Control Policy (SCP) is a policy that defines the AWS service actions that accounts such as Amazon EC2 run instance can perform.

Always consider what account groupings or OUs you should create. Your OUs should be based on function or common set of controls instead of mirroring your company’s reporting structure. We and AWS recommends that you start with security and infrastructure in mind. We recommend creating a set of foundational OUs for these specific functions:

• Infrastructure: Used for shared infrastructure services such as networking and IT services. Create accounts for each type of infrastructure service you require.
• Security: Used for security services. Create accounts for log archives, security read-only access, security tooling, and break-glass.

Best practice to securely launch multi-account environments

• Create a security organizational unit
  • Organizational units (or OUs) are containers for a group of accounts
  • Create a security OU using the management account
  • Create nested OUs for Beta and Prod accounts
• Enable security services for the AWS organization

Activate Security Services for the AWS Organization which activates the services all accounts

• Amazon GuradDuty
• Amazon Macie
• IAM Access Analyzer
• AWS Firewall Manager
• AWS Config and many more

• Delegate administration for security services
• Enable audit trails
• Deploy resources across multiple accounts
  • Create an AWS CloudFormation template for the role
  • Enable trusted access for StackSets
  • Deploy AWS CloudFormation template from the management account
• Enforce controls with Organizations policies
  • Implement granular controls over backup – Backup policies
  • Maintain tag consistency – Tag Policies
  • Control how your data is used with Artificial Intelligent (AI) Services – AI Services opt-out policies.
  • Centrally control the maximum available permissions for your AWS accounts – Service Control policies (SCP)
  • Enable trusted access for StackSets
  • Deploy AWS CloudFormation template from the management account

• Manage access, share resources
  • Provide access to accounts and resources and customize permissions based on separate job roles – AWS Single Sign-On
  • Share resources securely at scale and reduce duplicate resources – AWS Resource Access Manager

• AWS