Monolithic accounts considered harmful

Slide 1

Slide 1 text

jordangrimmer.artstation.com Monolithic accounts considered harmful Ben Whaley @iAmTheWhaley AWS Community Day Bay Area

Slide 2

Slide 2 text

The monolithic account looms, threatening the security, manageability, and scalability of entire organizations

Slide 3

Slide 3 text

VPCs, peering connections, and security groups proliferate IAM policies grow like vines through the ashes of good intentions An EC2 Classic node huddles in a corner of us-west-1, weeping

Slide 4

Slide 4 text

An acrid haze blurs the billing statement. Mysterious and unexpected costs are incurred in unfamiliar regions Administrators, architects, and security minded do-gooders watch helplessly as the account smolders in ruin

Slide 5

Slide 5 text

Fortunately, the multi-account security strategy offers a better way

Slide 6

Slide 6 text

Bask in the warm light of AWS Organizations Compartmentalization limits blast radius Federated cross-account access with single sign-on/IdP Enforce security baselines Per account cost attribution

Slide 7

Slide 7 text

Identity account strategy VPC Peering Production Identity Account SAML authentication via IdP AWS Console, API access Command & Control Development VPC Peering AssumeRole

Slide 8

Slide 8 text

Account creation 1. CreateAccount() - Creates an AWS account (asynchronously) that is automatically a member of the organization whose credentials made the request. { "Email": "anaya@example.com", "AccountName": "Production Account" } 2. DescribeCreateAccountStatus() - Retrieves the current status of an asynchronous request to create an account. 3. AssumeRole(OrganizationAccountAccessRole) - Assume permissions in the new account. 4. Run CloudFormation templates to create standardized roles, complete trusted advisor steps, conﬁgure CloudTrail, etc 5. Set up MFA and root password 6. Add alternate contacts

Slide 9

Slide 9 text

management eu-west-1 10.20.0.0/16 Dev us-west-2 172.21.0.0/16 Staging us-west-2 172.22.0.0/16 Prod us-west-2 172.23.0.0/16 Dev eu-west-1 10.21.0.0/16 Staging eu-west-1 10.22.0.0/16 Prod eu-west-1 10.23.0.0/16 C&C Development Production management us-west-2 172.20.0.0/16

Slide 10

Slide 10 text

Tips & Tools 1. Firefox Multi-Account Container + AWS Extend Switch Roles add-ons 2. github.com/Versent/saml2aws for temporary API credentials 3. github.com/cloudtools/stacker for consistent cross-account roles, network conﬁguration 4. Use Lambda to export CloudWatch logs 5. Build and share AMIs centrally 6. Cross-account CloudWatch metrics

Slide 11

Slide 11 text

Demo

Slide 12

Slide 12 text

Challenges and limitations 1. Complexity and account sprawl 2. No cross-region security group ID references 3. Avoiding IP range clashes 4. Limitations of Service Control Policies 5. One hour expiration for credentials obtained via role chaining 6. Tools and services still catching up with multi-account support

Slide 13

Slide 13 text

Ben Whaley @iAmTheWhaley Thanks for listening