Does managing a ton of AWS accounts seem like a Herculean task? The good news is that AWS offers several techniques and tools that make managing multiple accounts easier.
AWS Organizations
AWS Organizations is a service that helps platform teams manage a multi-account ecosystem— in terms of creation, grouping, and entitlement aspects. With AWS Organizations, you can build a multi-tiered structure of organisational units to manage base-level permissions, called Service Control Policies (SCPs), to ensure that only specific services or actions can be performed within an AWS account. A typical structure of an AWS organisation is shown in the following figure.
Essentially, AWS Organizations provide the following benefits and features:
- Consolidated Billing: All subordinate accounts under the root (or master) account receive consolidated billing, along with detailed reports to track actual expenses per account.
- Flexibility in Account Membership: AWS accounts can join or leave an AWS Organization. This is useful when business structures change or specific projects or departments are acquired by other companies.
- Potential Cost Savings: Summing up costs across member accounts can lead to volume discounts. For instance, consider costs related to outbound data transfer or S3 storage, which occur in almost every account. Additionally, cost optimisation extends to using Reserved Instances (RIs) and Saving Plans across member accounts.
- Seamless Integration of Services: Many AWS services, such as AWS Firewall Manager and AWS CloudTrail, can be effectively integrated with AWS Organizations, providing a unified view for audits and security-related activities.
AWS Organizations is not a must-have for every multiple account scenario. If you are in the position where an AWS partner is performing your AWS invoice management as part of your managed services agreement, many of the day-to-day challenges with multiple account invoicing may already be taken care of, making AWS Organizations a less important requirement from an invoicing perspective.
Recommended Starting Organisation
In this example, the organisation's management account utilises AWS Single Sign-On (AWS SSO) to provide unified access to AWS accounts within your organisation for your employees.
The "Security" Organisational Unit (OU) includes an account named "log-archive," acting as a central repository for log data within the organisation. Security, audit, and compliance teams can utilise this account for analysis purposes. The "security-tooling" account is dedicated to managing security tools.
A separate "Workloads" OU contains both production and testing accounts.
Conclusion
Our advice is to start small and expand your AWS Organization as needed. Don't try to cover every special case right from the beginning.
Avoid using your existing AWS account as the root account if it already contains workloads. Instead, begin with a fresh account free of any legacy baggage. You can still add your old account as a member of the new organisation.
If you're uncertain or need a second opinion to validate your multi-account strategy, reach out to our Professional Services team. They will expertly guide you on your journey to establishing a solid cloud foundation. While it's not a walk in the park, as the saying goes, your company will greatly benefit from applying a bit of effort to establish a well-defined multi-account strategy.
Have your AWS account structure checked by our experts
We will answer all your questions about optimising your AWS accounts and take a joint look at potential cost savings and improvement opportunities. The 30-minute conversations are conducted remotely by our certified AWS experts.