Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Monolithic accounts considered harmful

Ben Whaley
September 12, 2018

Monolithic accounts considered harmful

On the benefits of the AWS multi-account strategy, presented at AWS Community Day Bay Area 2018 at the Computer History Museum in Santa Clara.

Ben Whaley

September 12, 2018

More Decks by Ben Whaley

Other Decks in Technology


  1. VPCs, peering connections, and security groups proliferate IAM policies grow

    like vines through the ashes of good intentions An EC2 Classic node huddles in a corner of us-west-1, weeping
  2. An acrid haze blurs the billing statement. Mysterious and unexpected

    costs are incurred in unfamiliar regions Administrators, architects, and security minded do-gooders watch helplessly as the account smolders in ruin
  3. Bask in the warm light of AWS Organizations Compartmentalization limits

    blast radius Federated cross-account access with single sign-on/IdP Enforce security baselines Per account cost attribution
  4. Identity account strategy VPC Peering Production Identity Account SAML authentication

    via IdP AWS Console, API access Command & Control Development VPC Peering AssumeRole
  5. Account creation 1. CreateAccount() - Creates an AWS account (asynchronously)

    that is automatically a member of the organization whose credentials made the request. { "Email": "[email protected]", "AccountName": "Production Account" } 2. DescribeCreateAccountStatus() - Retrieves the current status of an asynchronous request to create an account. 3. AssumeRole(OrganizationAccountAccessRole) - Assume permissions in the new account. 4. Run CloudFormation templates to create standardized roles, complete trusted advisor steps, configure CloudTrail, etc 5. Set up MFA and root password 6. Add alternate contacts
  6. management eu-west-1 Dev us-west-2 Staging us-west-2 Prod

    us-west-2 Dev eu-west-1 Staging eu-west-1 Prod eu-west-1 C&C Development Production management us-west-2
  7. Tips & Tools 1. Firefox Multi-Account Container + AWS Extend

    Switch Roles add-ons 2. github.com/Versent/saml2aws for temporary API credentials 3. github.com/cloudtools/stacker for consistent cross-account roles, network configuration 4. Use Lambda to export CloudWatch logs 5. Build and share AMIs centrally 6. Cross-account CloudWatch metrics
  8. Challenges and limitations 1. Complexity and account sprawl 2. No

    cross-region security group ID references 3. Avoiding IP range clashes 4. Limitations of Service Control Policies 5. One hour expiration for credentials obtained via role chaining 6. Tools and services still catching up with multi-account support