Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Monolithic accounts considered harmful

41412a40b6ba18ba3e82a887a4f2e0de?s=47 Ben Whaley
September 12, 2018

Monolithic accounts considered harmful

On the benefits of the AWS multi-account strategy, presented at AWS Community Day Bay Area 2018 at the Computer History Museum in Santa Clara.


Ben Whaley

September 12, 2018

More Decks by Ben Whaley

Other Decks in Technology


  1. jordangrimmer.artstation.com Monolithic accounts considered harmful Ben Whaley @iAmTheWhaley AWS Community

    Day Bay Area
  2. The monolithic account looms, threatening the security, manageability, and scalability

    of entire organizations
  3. VPCs, peering connections, and security groups proliferate IAM policies grow

    like vines through the ashes of good intentions An EC2 Classic node huddles in a corner of us-west-1, weeping
  4. An acrid haze blurs the billing statement. Mysterious and unexpected

    costs are incurred in unfamiliar regions Administrators, architects, and security minded do-gooders watch helplessly as the account smolders in ruin
  5. Fortunately, the multi-account security strategy offers a better way

  6. Bask in the warm light of AWS Organizations Compartmentalization limits

    blast radius Federated cross-account access with single sign-on/IdP Enforce security baselines Per account cost attribution
  7. Identity account strategy VPC Peering Production Identity Account SAML authentication

    via IdP AWS Console, API access Command & Control Development VPC Peering AssumeRole
  8. Account creation 1. CreateAccount() - Creates an AWS account (asynchronously)

    that is automatically a member of the organization whose credentials made the request. { "Email": "anaya@example.com", "AccountName": "Production Account" } 2. DescribeCreateAccountStatus() - Retrieves the current status of an asynchronous request to create an account. 3. AssumeRole(OrganizationAccountAccessRole) - Assume permissions in the new account. 4. Run CloudFormation templates to create standardized roles, complete trusted advisor steps, configure CloudTrail, etc 5. Set up MFA and root password 6. Add alternate contacts
  9. management eu-west-1 Dev us-west-2 Staging us-west-2 Prod

    us-west-2 Dev eu-west-1 Staging eu-west-1 Prod eu-west-1 C&C Development Production management us-west-2
  10. Tips & Tools 1. Firefox Multi-Account Container + AWS Extend

    Switch Roles add-ons 2. github.com/Versent/saml2aws for temporary API credentials 3. github.com/cloudtools/stacker for consistent cross-account roles, network configuration 4. Use Lambda to export CloudWatch logs 5. Build and share AMIs centrally 6. Cross-account CloudWatch metrics
  11. Demo

  12. Challenges and limitations 1. Complexity and account sprawl 2. No

    cross-region security group ID references 3. Avoiding IP range clashes 4. Limitations of Service Control Policies 5. One hour expiration for credentials obtained via role chaining 6. Tools and services still catching up with multi-account support
  13. Ben Whaley @iAmTheWhaley Thanks for listening