Reading time: 4 minutes
Okay, you got me! This is not the only one but one of the best AWS Multi-Account architecture in my years of professional experience. This is not a one size fits all solutions but it should cover majority of medium to large enterprises account organization in AWS.
Before getting started
For small organizations or small dev/test having a single AWS account will most likely do just fine. Before you get started take a minute to read this https://cloudly.engineer/2019/wait-dont-create-your-aws-account-yet/aws/.
You’ll have to think about the size of your team (people), timeline, budgets and team experience. At the same time I would always recommend creating at least 3-4 accounts maximum; assuming your have 3 environments (dev, test, and production). The fourth account would just be the payer account, which is your master account. This fourth AWS account will also host your AWS organizations services. Do enable the standard IAM account settings, enable CloudTrail logs and other basic security services. Do not run any other services on this account!
AWS Multi-Account architecture
Here’s what the diagram for this architecture could look like.
Why Multiple AWS accounts?
- Cost separation for budgets and reporting purpose
- Can easily consolidate billing!
- Bypass AWS services hard quota limitations
- Error tolerance or blast radius problems
- Governance/different set permissions
- Different teams and contracts
- Code pipeline and much more.
AWS’s organizations come with another key component besides a consolidated payment; it’s Service Control Policies (SCP). SCP’s are just service only permissions for accounts. It’s not user permissions at all. You can block or explicitly enable services from the master account to its child or to any child account directly. Or even block certain regions or certain EC2 (Elastic Cloud Compute) instances types. Everyone should block those high performance compute (HPC) instances before getting started! Otherwise an accidental use of HPC instances can cost you thousands in just few hours.
The easiest way to manage your users at the beginning is to create your accounts in any single account. In the model above, I would create them in prod or possibly a fifth security account. Create your users, groups, permissions, MFA, etc in that account. Then create roles in the other accounts, and using role switching. I believe the AWS docs is missing a lot of key components to making role switching as secure as possible so I’ll be writing about this in detail in the future; subscribe to the emails to get notified.
The master account will host all your billing information. The breakdown of costs per account and much more. Do set your billing alerts here only! As of the time of this writing I wouldn’t recommend using the Amazon CloudWatch billing alert. I recommend using AWS budgets feature only! Why? Because the billing metrics value is different than the AWS budgets. The AWS budgets is the total cost while the CloudWatch metric is only the AWS services; it’s missing any AWS Marketplace charges.
I do have to warn you that multi-account does come with more responsibilities to keep all resources such as IAM permissions, roles, security groups, etc. all synced. I’ll be writing about how to do this easily and for free in the future.
Subscribe! I’ll be posting how to create accounts with the AWS CLI and managing all accounts with python!
As always if you see any errors, mistakes, have suggestions or questions please comment below. Don’t forget to like, share, and subscribe for more! 🙂