Use case:
- Business has to manage multiple AWS Accounts for its tenants and different environments.
- These include Dev, QA, staging and production.
Solution:
- A centralised control system.
- Includes permissions, policies and authentication.
- The system must enable the business to handle all the associated accounts from management account.
- Usage of AWS services these such as AWS Organisation, AWS Control Tower and SCP.
AWS Organisations:
AWS Organizations is an essential AWS service designed to streamline the consolidation of multiple AWS accounts under a centralized organization. It provides account management and consolidated billing features, empowering administrators to efficiently handle budgetary, security, and compliance requirements. Organization administrators can create new accounts within the organization and extend invitations to existing accounts for seamless integration.
Step 1 involves establishing your organization, where your current AWS account becomes the management account. You extend an invitation to one AWS account to join your organization, while creating a second account as a member account.
In Step 2, you create two organizational units (OUs) within your organization and allocate the member accounts to these units.
Step 3, you have the option to implement restrictions on delegated actions to users and roles in member accounts using service control policies (SCPs). During this phase, you generate two SCPs and associate them with the OUs within your organization.
Lastly, Step 4 entails testing the policies of your organization. You can log in as users from each of the test accounts and observe the impact that the SCPs have on these accounts. It’s worth noting that none of the steps in this tutorial result in costs being incurred on your AWS bill, as AWS Organizations is provided as a complimentary service.
The following features are offered by AWS Organizations:
- Streamlined management of all your AWS accounts
- Unified billing across all member accounts
- Organized hierarchical structure for your accounts
- Policies for centralized control over AWS services
- Policies for centralized control over API actions accessible to each account
- Policies to standardize tags across your organization’s resources
- Policies regulating data collection and storage by AWS AI and machine learning services
- Policies enabling automatic backups for organization resources
- Seamless integration and support for AWS Identity and Access Management (IAM)
- Integration capabilities with various AWS services
- Universal access across the organization
- Eventual data replication consistency
AWS Control Tower:
AWS Control Tower simplifies multi-account setup and management by extending AWS Organizations capabilities. It enforces best practices through guardrails, preventing deviations and ensuring compliance across accounts. With its preventive and detective controls, Control Tower enhances security and operational efficiency, streamlining management processes. It offers centralized governance and standardized account provisioning, ensuring consistent adherence to security standards and policies.
Step 1: To begin setting up your landing zone in AWS Control Tower, first sign in to the AWS management console using your administrator user credentials. Then, navigate to the AWS Control Tower console.
Step 2: Ensure that you are in the desired home Region before proceeding. Once confirmed, select “Set up landing zone” to initiate the setup process.
Step 3: Follow the step-by-step instructions provided in the console, making sure to accept all default values. You will be prompted to enter essential information, including your account email address, a log archive account, and an audit account.
Step 4: After confirming your selections, proceed by choosing “Set up landing zone.” Note that AWS Control Tower typically takes approximately 30 minutes to set up all the necessary resources in your landing zone.
Ensure to patiently follow each step and verify the successful completion of the setup process before proceeding with further configurations or operations within your AWS environment.
Service Control Policies
Service Control Policies (SCPs) serve as a crucial component of organizational policies, enabling centralized permission management across your AWS organization. They provide a means to enforce maximum permissions for all accounts, ensuring adherence to access control guidelines.
SCPs are exclusively available in organizations with all features enabled, they are not accessible in organizations that have only activated consolidated billing features. To enable SCPs, refer to the instructions outlined in the “Enabling and Disabling Policy Types” documentation.
It’s important to note that SCPs alone do not grant permissions to organization accounts. Instead, they establish guardrails and limits on actions that account administrators can delegate to IAM users and roles. Administrators must still attach identity-based or resource-based policies to IAM users, roles, or resources within accounts to grant permissions effectively. The resultant permissions represent the logical intersection between what the SCP allows and what is permitted by the IAM and resource-based policies.
In conclusion, AWS provides a robust suite of services tailored to meet the complex needs of organizations managing multi-account environments. AWS Organizations, AWS Control Tower, and Service Control Policies (SCPs) offer streamlined account management, centralized governance, and enhanced security measures. With hierarchical structures, standardized policies, and integrated controls, organizations can effectively manage permissions, enforce compliance, and optimize resource utilization across their AWS infrastructure. By leveraging these services, organizations can achieve greater operational efficiency, maintain regulatory compliance, and drive innovation while scaling their AWS environments to meet evolving business requirements. AWS continues to empower organizations with the tools and capabilities needed to move forward in the cloud environment.