Good news for Amazon AWS Administrators: AWS Organizations has emerged from preview and into general availability. This feature gives administrators control of multiple AWS accounts.
What are AWS Organizations?
If you've been an AWS administrator for quite a long time, you know that management may involve more than one account. Maybe you have several for your organization. Maybe you have several for your clients. Maybe you're simply slow to adopt AWS and instead opt to do it incrementally across the enterprise with several teams doing it before the rest follow suit. Or maybe more grow under your portfolio through an acquisition or two or ten. Or maybe many different accounts are maintained separately for compliance requirements -- which means different accounts for development versus testing versus your production environment.
The problem is, that's a massive pain in the ass. Yeah, we've said it. It's not scalable, difficult to deal with, and is a headache. AWS Organizations answers this question by giving administrators the way to define access control policies that can be applied easily to all, some, or singular accounts. AWS Organizations also gives you the ability to manage billings separately while taking advantage of AWS pricing benefits.
What AWS Organizations lets you do
Using Organizations lets you centrally manage multiple AWS accounts with the ability to create a hierarchy of Organizational Units (OUs) and assign each account to an OU. Policies can be defined and applied to either the entire hierarchy, select organizational units, or specific accounts. AWS accounts can be invited to join your organization but you can create new accounts under a single organization at any time.
You can create an organization from the console. This is a consolidated set of AWS accounts that are managed by an administrator or set of administrators. Organizations can apply Service Control Policies (SCP) that are applied to the Organizational Unit (container for a set of AWS accounts) and OUs beneath it in the hierarchy.
Amazon recommends that Master Accounts, which act as the management hub for the organization (and also are responsible for paying), are kept free of operational AWS resources so that you can better understand your bill. The only exception to this rule would be using CloudTrail in the Master Account to centrally track AWS usage in Member accounts.
AWS also recommends that policies for OUs should have as few privileges as possible, which would help avoid breaking anything.
Similarly, OUs should be assigned policies (and not accounts). This ensures a better mapping between your organizational structure and level of AWS access needed.
Before you scale up, you should test new and modified policies on a single account.
APIs and AWS CloudFormation templates can be used to ensure that newly created accounts are configured as desired. The template helps create IAM users, roles, and policies, as well as logging and VPCs.
For more on AWS Organizations, read all about it here.
Photo Credit: Shutterstock, Amazon