AWS multi-account strategy is a powerful method of managing multiple AWS accounts within an organization. It is designed to help organizations scale and manage their cloud infrastructure more effectively while maintaining security and compliance. In this article, we will explore the key components of an AWS multi-account strategy and how it can be implemented to achieve better control and efficiency in managing cloud resources.
Why Multiple Accounts?
Security controls: Each application could have different security controls, like within same organization, PCI-DSS will have different security controls than other applications.
Isolation: Isolation is crucial to prevent potential risks and security threats that may arise from having multiple applications in the same account.
Many teams: Using multiple accounts prevents team interference, as teams with different responsibilities and resource needs are separated.
Data Isolation: Isolating data stores to an account limits access and management of data to a select few, reducing the risk of unauthorized exposure of sensitive information.
Business process: Individual accounts can be created to cater to specific business needs since business units or products often have different purposes and processes.
Billing: The multi-account approach allows for the creation of distinct billable items across business units, functional teams, or individual users.
Quota allocation: Each account, including projects, has a well-defined and individual quota since AWS quotas are established on a per-account basis.
Design OU Structure
An organizational unit (OU) is a logical grouping of accounts in your organization, created using AWS organizations. OUs enable you to organize your accounts into a hierarchy and make it easier for you to apply management controls. AWS organizations policies are what you use to apply such controls. A Service Control Policy (SCP) is a policy that defines the AWS service actions.