Back

TechnologyJun 09, 2021

AWS Cloud Governance Part 2: Centralized Account Management and Organization Controls

Tim Davis

Centralized account management and organizational controls are two fundamental challenges IT professionals have faced over the years whether operating in traditional datacenters or using a public cloud offering. In the past, there have been advantages to maintaining in-house hardware and software solutions to help mitigate risk and add controls to deliver resources for business operations. Using the same logic with cloud operations can create some unnecessary challenges. 

On top of many multiple solutions to achieve centralized identity and access management, it can be cumbersome to extend or operate datacenter solutions. Many of these products may not support platform as a service (PaaS) and cloud-native architectures. With this gap in mind, AWS has invested in services that provide powerful cloud-native controls and identity management. They offer the same agility developers experience with application development.

In part one of this series, we unpacked three keys to starting a successful AWS governance journey. In this article, we're looking at how AWS has provided the tools to help any organization, whether they are new to AWS or have well-established cloud workloads, to streamline centralized account management and apply policy-based controls to manage the environments. 

Centralizing Account Management

As developers and administrators accumulate tools and applications, they often have to manage an increasing number of credentials to do their jobs. In AWS, centralized account management addresses this by creating a single pane of glass for identity and access management. This allows to users sign in to a single workspace to access all needed applications and tools. 

However, in an enterprise environment, we often see separate AWS accounts for IT operations work and another account for the software development life cycle (SDLC). There are also other environments to think of, for example having a separate AWS account for infrastructure and shared services. 

Without a cohesive identity strategy, effectively managing credentials to all these accounts can be time-consuming for administrators. AWS offers the ability to utilize multiple user accounts for cross-account access. But managing multiple accounts for various functions of the business can quickly overwhelm identity management teams.

Analyzing AWS Organizations

The good news is AWS Organizations can help enterprises simplify account management.  In 2017 AWS introduced AWS Organizations and has steadily been adding features to the service to help businesses achieve central identity in the cloud. AWS Organizations is a service offering that enables you to centrally manage and govern multiple accounts. If you are trying to get control of your existing AWS infrastructure or you are deploying your first application in the cloud, there are a few foundational steps to help any organization win.

Account Management Patterns and Practices to Follow

Some organizations create AWS accounts aligned to specific business units that mirror the company’s reporting structure. This seems like a logical approach to maintain silos for security, governance, and billing, but it becomes difficult to scale and manage. Creating accounts based on departments or reporting structures can lead to redundant infrastructure and security configurations, further impeding administrators’ ability to effectively and efficiently manage workloads.

Introducing Organizational Units (OU) & Service Control Policies (SCPs)

AWS Organizations provides boundaries between different operating units called organizational units (OU). These are logical groupings of accounts in your AWS Organization. OUs can be controlled through service control policies (SCPs) that limit AWS service actions. SCPs offer central control over available permissions for all accounts and ensure your accounts stay within your organization’s control guidelines. Permissions are not inherently set by the SCP, instead it provides guardrails for the actions that can be delegated to identity and access management (IAM) users and roles. 

Utilizing the features of AWS Organizations, we can begin to map out the foundational services and functions. By utilizing OUs and SCPs, companies can distinguish varying levels of access and controls for production workloads that can be isolated from non-production workloads. Establishing security and infrastructure OUs plus nested OUs for production and non-production environments has proven to be an effective approach to designing an account structure. 

Exploring AWS Control Tower

If you have an established presence in the cloud, you have no doubt faced challenges with control, security, and scaling existing infrastructure to meet business demands. Our experience with Well-Architected Reviews and cloud governance projects often leads to the recommendation that organizations create a “green-field” AWS environment. This leverages the benefits AWS Organizations offer. While a “green-field” implementation is not always possible, existing environments can still be configured for AWS Control Tower and gain the benefits provided by the service. 

AWS Control Tower delivers central visibility into the AWS environment including provisioned accounts, compliance status, and configured guardrails. This service offers cloud administrators the ability to quickly establish a multi-account environment, following AWS best practices. Using AWS Control Tower allows cloud administrators to set up automated landing zones using effective strategies that encompass a multi-account structure, centrally managing user identities, and federated access with single sign-on (SSO). Establishing guardrails for security, operations, and compliance helps organizations prevent the provisioning or access of non-conforming resources while continuously monitoring for non-compliant resources.

Begin With a Solid Governance Foundation

Here are three ways to build a solid governance foundation to ensure proper access, controls, and separation of duties when consuming cloud resources: 

  • Devise a strategy that best suits your organization with proper infrastructure accounts for networking services 

  • Evaluate different IT services to offer a structure that is in congress with the operation teams. 

  • Reserve the security OU for various security activities and services and is established as read-only. Security tooling, central logging, break-glass access, and security auditing are a few examples of services reserved for the security OU. 

Aligning Operational Units With Workloads

After establishing your governance foundation through AWS Control Tower and AWS Organizations, create OUs aligned with the development and operation of your workloads instead of your IT organizational structure. This workload-centric approach does not preclude you from considering your RACI model when building out OUs for production and non-production workloads and planning how your users will interface with other applications and the cloud infrastructure. 

Defining an Ongoing Strategy

When working with our clients we typically define a strategy for building additional OUs by collaborating with key business and technical stakeholders to analyze use cases with existing services and upcoming initiatives. Understanding how AWS services operate and interact is an important part of the development process while transitioning to the cloud. One way to accomplish this is to create an isolated sandbox environment for testing and validation of cloud controls before implementing them in development and production workloads to ensure they work as expected.  A sandbox OU structure will allow users to experiment with AWS services and development strategies to leverage new technologies. Here, SCP controls can be established to control cost, network isolation, and resource overuse.

Depending on the size and complexity of your organization, there are various approaches to implement and maintain your AWS organization. You may need a consistent way to test out new SCPs for existing OUs and contain suspended and disabled AWS accounts and exceptions for services that are not classified within an existing OU. 

Continuing on Your Cloud Journey

Your organization (regardless of its size) can establish cloud stability and scalability once you establish a proper governance foundation. This includes leveraging AWS Control Tower and Organizations for consistent account creation, implementing SCP policies to create boundaries for services, and centralizing identity management for appropriate access to workloads. 

At Credera, we’ve helped our clients by assessing their existing workloads and processes to provide a roadmap to a well-architected environment. They can now focus more on service delivery and less on day-to-day maintenance. 

If you are interested in learning more about cloud governance or are looking for a partner to join you in your journey, we have a team of highly experienced individuals who can help. Please feel free to reach out to us at findoutmore@credera.com

Have a Question?

Please complete the Captcha