For large organizations, the best practice is to set up multiple AWS accounts to align the ownership and decision making – each department can have their own AWS account.
The key advantage of using separate AWS accounts is that each AWS account has its own reported costs and its own security policies.
Examples:
- Production environments are likely to have different access control policies from non-production environments
- A separate environment for experimentation with fewer restrictions than any production environment can speed up innovation
AWS Organizations service implements AWS best practices for organization of large organizations’ AWS accounts.
Its key benefits are:
- Consolidated billing – using a single payment method for all accounts presents pricing benefits from aggregated usage, such as volume discounts for EC2 and S3
- Centralized management of Savings Plans, and Reserved Instances
- Centralized application of audit and security policies to all accounts or groups of accounts
- Programmatic creation of new AWS accounts
- Sharing of resources in the organization
- Organization of AWS accounts in a hierarchy of Organizational Units that reflect your company’s structure
- Isolation of security or misconfiguration incidents to a particular account, and not the entire organization
- Limited visibility of workloads – AWS accounts are isolated from each other and have no access to each other’s resources unless explicitly granted
For large organizations running multiple AWS workloads within multiple business units, the best practices are these:
- For each specific application and each environment (PROD/DEV/TEST), create a separate AWS account
- Set up shared AWS accounts to provide internal services within a company
- Set up isolated recovery and audit accounts – for disaster recovery, the business can easily recover using duplicate AWS accounts
Key Concepts:
- An Organization is a collection of AWS accounts
- An Organizational Unit (OU) is a group of AWS accounts within an organization – an Organizational Unit can consist of other Organizational Units enabling creation of a hierarchy
- A Service Control Policy (SCP) is a policy that explicitly allows only certain services and actions to be used in affected accounts or Organizational Units
- A Management Account is the AWS account used to create the organization
- A Member Account is an AWS account different from the Management Account that is a part of an Organization. A Member Account can belong to only one Organization.
To simplify building a multi-account environment following the best AWS practices, AWS offers the AWS Control Tower service. This service automates the setup of a new landing zone with the recommended security policies, including:
- Creation of an AWS Organization and multi-account setup
- Set up of the Identity and Access Management (IAM) with AWS Single Sign-On (SSO) and the SSO account federation
- Centralized logging using AWS CloudTrail and AWS Config