AWS User group Braunschweig - Multi account setup

Transcript

1. AWS Multi-Account Setup Nico Schilling

2. Why should I do this?

3. Three main reasons… A suitable multi-account setup is a base

   for every Cloud foundation. And there are good reasons for it! Overview Billing Security

4. Overview • An AWS account as a resource container for

   just one product and one stage • „AWS Organizations“ can put multiple AWS Accounts into an overall container – our organization • Grouping of AWS accounts in organizational unit • One view and you which applications are in your Cloud environment AWS Multi Account Setup

5. Overview - how to set up? • Divide between business

   accounts and foundation accounts • Business Accounts • Per stage • Per Product • Shared (Code, Pipelining) • Foundation Accounts • Backup • Audit data (CloudTrail, FlowLogs, ALB Access Logs..) AWS Multi Account Setup

6. Overview – example structure AWS Multi Account Setup myexample.com Shared

   Customer portal Dev Test Prod Foundation Audit User Backup AWS Organizations Organizational unit AWS Accounts

7. • Tag usage needs a concept (which tags, which data)

   • Not every resource is tagable / not tagable at creation • Not everybody does it Easier than tags (Consolidated) Billing AWS Multi Account Setup Easier Invoices / Cost allocation • The spend of each AWS Account is listed by default • Easier handling in accounting processes like invoice approval • Billing can be handled with a central configured payment method

8. • Separation of audit and backup data into restricted accounts

   • Reducing the blast radius • Prevent unintended resource sharing / configuration Security AWS Multi Account Setup • Limit the usage of specific AWS services which are not compliant to certain frameworks (CIS, PCI, HIPAA) To have a secure Cloud foundation is the most fundamental aspect of everything you do in the cloud. But there are many possibilities on the way to break this security. Compliant service usage Separation of workloads • Separation of duties by using predefined roles • Securing the configuration of audit service • Central user handling in one account Easier IAM handling

9. Security – Compliant service usage If your company or a

   specific product is part of any regulation (PCI, HIPAA…), you can not use every AWS service. Þ Service Control Policies Denys the usage of services for a complete AWS account. AWS Multi Account Setup

10. Security – Easier IAM handling • More control with predefined

    roles and segregation of duties • User Manager • Network administrator • Backup administrator • Auditor • Prevent roles from configure essential audit or backup services • Minimizes misconfiguration • Centralized user handling AWS Multi Account Setup

11. Security – Easier IAM handling AWS Multi Account Setup Dave

    with developer role User Andreas with admin role Login AssumeRole Customer Portal dev Customer Portal prod Audit Dev Admin Admin Audit

12. Security – Separation of workloads AWS Multi Account Setup myexample.com

    Shared Customer portal Dev Test Prod Foundation Audit User Backup AWS Organizations Organizational unit AWS Accounts

13. Examples of single account usage Lets look at the startup

    “Code Spaces”: They had everything in place… audit, backup in different regions, a cool solution. Got hacked, everything was lost… => Complete shutdown of the company AWS Multi Account Setup www.flickr.com/photos/shanerielly/4163903111/in/photostream/lightbox/

14. THANK YOU! Let’s stay in touch LinkedIn: www.linkedin.com/in/nicoschilling/ Email: [email protected]