- Global service
- Allows to manage multiple AWS accounts
- The main account is the management account
- Other accounts are member accounts
- Member accounts can only be part of one organization
- Consolidated Billing across all accounts - single payment method
- Pricing benefits from aggregated usage (volume discount for EC2, S3…)
- Shared reserved instances and Savings Plans discounts across accounts
- API is available to automate AWS account creation
- Advantages
- Multi Account vs One Account Multi VPC
- Use tagging standards for billing purposes
- Enable CloudTrail on all accounts, send logs to central S3 account
- Send CloudWatch Logs to central logging account
- Establish Cross Account Roles for Admin purposes
- Security: Service Control Policies (SCP)
- IAM policies applied to OU or Accounts to restrict Users and Roles
- They do not apply to the management account (full admin power)
- Must have an explicit allow (does not allow anything by default – like IAM)
- Management Account
- Can do anything
- (no SCP apply)
- Account A
- Can do anything
- EXCEPT access Redshift (explicit Deny from OU)
- Account B
- Can do anything
- EXCEPT access Redshift (explicit Deny from Prod OU)
- EXCEPT access Lambda (explicit Deny from HR OU)
- Account C
- Can do anything
- EXCEPT access Redshift (explicit Deny from Prod OU)
- SCPs do not grant
ANYpermissions, they control theAVAILABLEpermissions
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowsAllActions",
"Effect": "Allow",
"Action": "*",
"Resource": "*"
},
{
"Sid": "DenyDynamoDB",
"Effect": "Deny",
"Action": "dynamodb:*",
"Resource": "*"
}
]
}{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["ec2: *", "cloudwatch: *"],
"Resource": "*"
}
]
}- For billing purposes, the consolidated billing feature of AWS Organizations treats all the accounts in the organization as one account.
- This means that all accounts in the organization can receive the hourly cost benefit of Reserved Instances that are purchased by any other account.
- The payer account (master account) of an organization can turn off Reserved Instance (RI) discount and Savings Plans discount sharing for any accounts in that organization, including the payer account
- This means that RIs and Savings Plans discounts aren't shared between any accounts that have sharing turned off.
- To share an RI or Savings Plans discount with an account, both accounts must have sharing turned on.
- Use aws:PrincipalOrgID condition key in your resource-based policies to restrict access to IAM principals from accounts in an AWS Organization
- Helps you standardize tags across resources in an AWS Organization
- Ensure consistent tags, audit tagged resources, maintain proper resources categorization, …
- You define tag keys and their allowed values
- Helps with AWS Cost Allocation Tags and Attribute-based Access Control
- Prevent any non-compliant tagging operations on specified services and resources (has no effect on resources without tags)
- Generate a report that lists all tagged/non-compliant resources
- Use CloudWatch Events to monitor non-compliant tags
{
"tags": {
"costcenter": {
"tag_key": {
"@@assign": "CostCenter"
},
"tag_value": {
"@@assign": ["100", "200"]
},
"enforced_for": {
"@@assign": ["secretsmanager:*"]
}
}
}
}-
Easy way to set up and govern a secure and compliant multi-account AWS environment based on best practices
-
Benefits:
- Automate the set up of your environment in a few clicks
- Automate ongoing policy management using guardrails
- Detect policy violations and remediate them
- Monitor compliance through an interactive dashboard
-
AWS Control Tower runs on top of AWS Organizations:
- It automatically sets up AWS Organizations to organize accounts and implement SCPs (Service Control Policies)
-
Control Tower creates a well-architected multi- account baseline based on best practices
-
This is known as a landing zone
-
Guardrails are used for governance and compliance:
- Preventive guardrails are based on SCPs and disallow API actions
- Detective guardrails are implemented using AWS Config rules and Lambda functions and monitor and govern compliance
-
The root user in the management account can perform actions that guardrails would disallow
- Automates account provisioning and deployments
- Enables you to create pre-approved baselines and configuration options for AWS accounts in your organization (e.g., VPC default configuration, subnets, region, …)
- Uses AWS Service Catalog to provision new AWS accounts
- Guardrail
- Provides ongoing governance for your Control Tower environment (AWS Accounts)
- Preventive – using SCPs (e.g., Disallow Creation of Access Keys for the Root User)
- Detective – using AWS Config (e.g., Detect Whether MFA for the Root User is Enabled)
- Example: identify non-compliant resources (e.g., untagged resources)
- Mandatory
- Automatically enabled and enforced by AWS Control Tower
- Example: Disallow public Read access to the Log Archive account
- Strongly Recommended
- Based on AWS best practices (optional)
- Example: Enable encryption for EBS volumes attached to EC2 instances
- Elective
- Commonly used by enterprises (optional)
- Example: Disallow delete actions without MFA in S3 buckets