By: Mike Meluso, JHC Technology Senior Cloud Engineer
As organizations expand their cloud footprint, many find themselves managing not one but dozens or hundreds of AWS accounts. A multi-account environment is even recommended by AWS to simplify chargeback, permissions control, and logical separation of resources. However, many organizations find managing cloud resources at this scale to be a challenge, since each account may have isolated access and settings. We’ll review some AWS-native tools and features to help you manage your growing cloud environment.
Before we discuss the tools, it is important to identify the group which will oversee all cloud operations. This group will help steer cloud adoption and consumption in the direction of organizational and industry best practices and compliance as well as ensure that guidelines and tools put in place are scalable to encourage large-scale adoption. JHC has helped organizations build out and mature their own Cloud Centers of Excellence (CCOE) and has delivered time-tested solutions to help drive governance and adoption in enterprise-scale multi-account AWS environments. These are some of the AWS-native tools in our utility belt.
• AWS Organizations – AWS Organizations is the cornerstone of multi-account management. AWS Organizations operates in two modes: billing only, which allows organizations to pool accounts into a single bill and benefit from volume discounts and reservation sharing, and full access mode, which enables management of account permissions through service control policies and also enables tie-ins with other AWS services (which are enumerated below). JHC enables consolidated billing by default, has a dedicated billing team to help organizations take advantage of discount opportunities, and has helped organizations understand and activate full access mode for a deeper level of multi-account control.
• AWS Single Sign-On (SSO) – AWS SSO provides a managed solution to federate your existing identities with AWS. AWS SSO seamlessly scales to multiple accounts while providing fine-grained access control from a single dashboard. AWS SSO itself is free, though nominal charges may apply for the infrastructure you configure to set up a connection between your identity provider and AWS. AWS SSO requires organizations full access mode and can only be administered from the master account in an organization. Whether you are using AWS SSO or a custom or third-party integration, JHC recommends federated access to AWS as it dramatically increase the security of your cloud operations while simultaneously streamlining permissions management.
• AWS Config Rules – Many organizations may already use AWS Config rules to continuously monitor the state of their infrastructure and measure against defined “good” states. In multi-account environments, you can aggregate results from multiple accounts into a single dashboard, arming your auditors and security resources with a one-stop shop for infrastructure compliance evaluations. Check out more details of the feature in out AWS Config Aggregation launch post. Aggregation can utilize organizations full-access mode from the master account or account-level authorization, making the feature available in a variety of account configurations.
• AWS CloudFormation StackSets – Managing AWS resources using infrastructure as code techniques is a repeatable process that secures access to resources and enables a high degree of control over resources for their entire lifecycle. StackSets allows you to deploy and manage CloudFormation templates across multiple environments from a single dashboard. StackSets authenticates across accounts using highly secure AWS service roles which eliminate the need to provision and rotate access keys per-account. JHC has delivered StackSet-based solutions for organizations managing multiple accounts to empower the organization’s CCOE to push important updates to permissions and network configurations in a streamlined way. JHC also has a proven DevOps solution for integrating StackSets into a CI/CD pipeline for automated testing and fine-grained change management.
• AWS Service Catalog – An under-utilized service, Service Catalog is a powerful service that allows individual accounts to launch assigned products using a simple dashboard and requiring zero code on the consumer’s behalf. Service Catalog enables a number of use cases from turbo-charging adoption through making push-button deployments of products available to providing mechanisms to provide escalated permissions in a highly-controlled and self-service way. Service Catalog products are defined using CloudFormation and JHC has delivered a continuous delivery process for these products that scales with your multi-account environment.
• AWS Firewall Manager – Firewall manager simplifies the process of deploying AWS Web Application Firewall (WAF) rules to multiple accounts from a single dashboard. Firewall Manager requires activation of organizations full access mode and administration from the master account.
Utilization of these services can be instrumental in enabling your Cloud Center of Excellence team to manage multiple AWS accounts securely and effectively. Whether you choose to use these tools or build/buy your own, the most important considerations are identifying your CCOE, staffing it with resources who are well-versed in cloud design and security considerations and empowering them to drive adoption and governance at cloud velocity. JHC has worked with organizations of all sizes across industries to build out the processes and tools to effectively deliver cloud. Whether you’re an early cloud adopter or just getting started, we’d be happy to share our experience and help you deliver at the speed and scale of the cloud.