$30 off During Our Annual Pro Sale. View Details »

How to manage a multi AWS account infrastructure

How to manage a multi AWS account infrastructure

Presentation at the AWS User Group Munich Meetup October 2016

WHY would I want a multi account setup?
HOW have we implemented this?
WHICH pitfalls did we experience?
WHICH tools do we use?

Andreas Sieferlinger

October 17, 2016
Tweet

More Decks by Andreas Sieferlinger

Other Decks in Technology

Transcript

  1. Unterföhring, 17.10.2016
    Andreas Sieferlinger
    HOW TO MANAGE
    A MULTI AWS ACCOUNT
    INFRASTRUCTURE
    A short introduction: Why, how and dodging bullets
    Munich AWS User Group

    View Slide

  2. 2
    glomex – A company of ProSiebenSat.1 Media SE
    Andreas Sieferlinger
    Team OPS tasks:
    • base architecture
    • AWS base setup
    • tools and frameworks for teams
    • AWS consulting for internal teams
    INTRO

    View Slide

  3. 3
    glomex – A company of ProSiebenSat.1 Media SE
    AGENDA
    WHY
    would I want a multi
    account setup?
    HOW have we
    implemented this?
    WHICH pitfalls did we
    experience?
    WHICH tools do we
    use?

    View Slide

  4. 4
    glomex – A company of ProSiebenSat.1 Media SE
    - AWS recommendation (depending on your setup)
    - separate billing
    - fine grain access control / security
    - mimic organization setup
    - separate stages / environments
    - à minimize blast radius
    WHY?

    View Slide

  5. 5
    glomex – A company of ProSiebenSat.1 Media SE
    - account limits / capacity planning
    - API rate limits
    - complicated access control for certain resources (ec2)
    - complicated deprovisioning of complete products
    WHY A SINGLE ACCOUNT IS BAD

    View Slide

  6. 6
    glomex – A company of ProSiebenSat.1 Media SE
    ACCOUNT STRUCTURE
    Total Number of accounts: 21
    Product: N
    Environment:
    dev
    Product: N
    Environment:
    qa
    Product: N
    Environment:
    stage
    Product: N
    Environment:
    prod
    logging
    CloudTrail
    Logging
    very restrictive access
    Management
    IAM
    Billing
    2FA enforced
    User sync to FreeIPA
    assume role
    billing
    role
    role
    role
    role

    View Slide

  7. 7
    glomex – A company of ProSiebenSat.1 Media SE
    NETWORK STRUCTURE (WITHIN A SINGLE REGION)
    infra VPC
    corporate DCs
    VPN
    employee
    product N – environment:
    qa
    /22
    product N – environment:
    stage
    /22
    product N – environment:
    dev
    /22
    product N – environment:
    prod
    /22

    View Slide

  8. 8
    glomex – A company of ProSiebenSat.1 Media SE
    - Tool support for cross-account access is meh…
    - kinesis agent (since 16.09.2016, IAM roles are supported!)
    - many tools do not (easily) support profiles / roles à aws-mfa
    - cli with many accounts and MFA will slow you down
    - AWS support for cross account access could be better ...
    - public VPC security groups
    - complex trust relationships
    - S3 Buckets 3+ account relationships
    PAIN

    View Slide

  9. 9
    glomex – A company of ProSiebenSat.1 Media SE
    - DNS Zone separation
    - cross account DNS for corporate domain too complicated -> complex DNS
    - many SSL certificates required (ACM not available for all services)
    DNS ZONE DELEGATION
    glomex.cloud
    vvs.glomex.cloud
    dev.vss.glomex.cloud stage.vvs.glomex.cloud qa.vvs.glomex.cloud stage.vvs.glomex.cloud
    hostname dev. vvs. glomex.cloud
    * dev. vvs. glomex.cloud
    * prod. vvs. glomex.cloud

    View Slide

  10. 10
    glomex – A company of ProSiebenSat.1 Media SE
    - complex networking setup
    - peering / routing easily gets out of hand
    - try to keep it simple!
    - No single point of view over all accounts/metrics/monitoring with AWS services/tools
    - tools like datadog and security monkey help
    - Costs and effort may multiply per account (config rules, support, vpn connections, management, ssl
    certs).
    About $70 per account in our environment
    - User support and education more demanding
    - Everything solved or found feasible workarounds!
    PAIN 2

    View Slide

  11. 11
    glomex – A company of ProSiebenSat.1 Media SE
    Request from developer: „We extended the instance base policy, but cannot enable it, please roll out for
    all“
    EDUCATE YOUR USERS
    Users are unaware of potential problems they create. Educate!
    {
    "Effect": "Allow",
    "Action": "autoscaling:*",
    "Resource": "*"
    },
    {
    "Effect": "Allow",
    "Action": "elasticloadbalancing:*",
    "Resource": "*“
    }

    View Slide

  12. 12
    glomex – A company of ProSiebenSat.1 Media SE
    - FreeIPA is source of authentication
    - FreeIPA to AWS IAM sync tool (no SAML)
    - FreeIPA SSH Key User Management on instances
    - aws-mfa
    - Account / environment detection on instances to avoid bad things
    - security monkey
    - DataDog
    - Base setup tool: “kiso”: manages all accounts
    - (CloudFormation / tropossphere + config + tooling)
    - Account creation automation (about 80%)
    - custom application rollout tools: glomex cloud deployment tools (gcdt)
    - Kumo (cloudformation)
    - Tenkai (codedeploy)
    - Yugen (API gateway)
    - Ramuda (lambda)
    TOOLS

    View Slide

  13. 13
    glomex – A company of ProSiebenSat.1 Media SE
    When to use AWS Multi Account Setups
    https://aws.amazon.com/de/answers/account-management/aws-multi-account-security-strategy
    S3 configuration for use with 3 accounts
    http://docs.aws.amazon.com/AmazonS3/latest/dev/example-walkthroughs-managing-access-example4.html
    aws-mfa tool
    https://github.com/broamski/aws-mfa
    Security Monkey
    https://github.com/Netflix/security_monkey
    Slides
    https://speakerdeck.com/andreassieferlinger
    glomex techblog
    coming soon
    LINKS

    View Slide

  14. Unterföhring, 17.10.2016
    Andreas Sieferlinger
    Q & A
    Short questions regarding the presentation
    More time after the talk!

    View Slide

  15. Unterföhring, 17.10.2016
    Andreas Sieferlinger
    THANK YOU.
    I’ll be availlable for your questions after the talk.

    View Slide