AWS Cloud Governance Part 2: Centralised account management and organisation controlsTim Davies
Centralised account management and organisational controls are two fundamental challenges IT professionals have faced over the years, whether operating in traditional datacentres or using a public cloud offering. In the past, there have been advantages to maintaining in-house hardware and software solutions to help mitigate risk and add controls to deliver resources for business operations. Using the same logic with cloud operations can create some unnecessary challenges.
On top of many multiple solutions to achieve centralised identity and access management, it can be cumbersome to extend or operate datacentre solutions. Many of these products may not support platform as a service (PaaS) and cloud-native architectures. With this gap in mind, AWS has invested in services that provide powerful cloud-native controls and identity management. They offer the same agility developers experience with application development.
In part one of this series, we unpacked three keys to starting a successful AWS governance journey. In this article, we're looking at how AWS has provided the tools to help any organisation, whether they are new to AWS or have well-established cloud workloads, to streamline centralised account management and apply policy-based controls to manage the environments.
Read next: AWS Cloud Governance Part 3: Compliance, security, & cost management
Centralising account management
As developers and administrators accumulate tools and applications, they often have to manage an increasing number of credentials to do their jobs. In AWS, centralised account management addresses this by creating a single pane of glass for identity and access management. This allows users to sign in to a single workspace to access all needed applications and tools.
However, in an enterprise environment, we often see separate AWS accounts for IT operations work and another account for the software development life cycle (SDLC). There are also other environments to think of - for example, having a separate AWS account for infrastructure and shared services.
Without a cohesive identity strategy, effectively managing credentials to all these accounts can be time-consuming for administrators. AWS offers the ability to utilise multiple user accounts for cross-account access. But managing multiple accounts for various functions of the business can quickly overwhelm identity management teams.
Analysing AWS organisations
The good news is AWS Organisations can help enterprises simplify account management. In 2017, AWS introduced AWS Organisations and has steadily been adding features to the service to help businesses achieve central identity in the cloud. AWS Organisations is a service offering that enables you to centrally manage and govern multiple accounts. If you are trying to get control of your existing AWS infrastructure or you are deploying your first application in the cloud, there are a few foundational steps to help any organisation win.
Account management patterns and practices to follow
Some organisations create AWS accounts aligned to specific business units that mirror the company’s reporting structure. This seems like a logical approach to maintain silos for security, governance, and billing, but it becomes difficult to scale and manage. Creating accounts based on departments or reporting structures can lead to redundant infrastructure and security configurations, further impeding administrators’ ability to effectively and efficiently manage workloads.
Introducing organisational units (OU) & service control policies (SCPS)
AWS Organisations provides boundaries between different operating units called organisational units (OU). These are logical groupings of accounts in your AWS Organisation. OUs can be controlled through service control policies (SCPs) that limit AWS service actions. SCPs offer central control over available permissions for all accounts and ensure your accounts stay within your organisation’s control guidelines. Permissions are not inherently set by the SCP, instead it provides guardrails for the actions that can be delegated to identity and access management (IAM) users and roles.
Utilising the features of AWS Organisations, we can begin to map out the foundational services and functions. By utilising OUs and SCPs, companies can distinguish varying levels of access and controls for production workloads that can be isolated from non-production workloads. Establishing security and infrastructure OUs plus nested OUs for production and non-production environments has proven to be an effective approach to designing an account structure.
Exploring AWS Control Tower
If you have an established presence in the cloud, you have no doubt faced challenges with control, security, and scaling existing infrastructure to meet business demands. Our experience with Well-Architected Reviews and cloud governance projects often leads to the recommendation that organisations create a “green-field” AWS environment. This leverages the benefits AWS Organisations offer. While a “green-field” implementation is not always possible, existing environments can still be configured for AWS Control Tower and gain the benefits provided by the service.
AWS Control Tower delivers central visibility into the AWS environment including provisioned accounts, compliance status, and configured guardrails. This service offers cloud administrators the ability to quickly establish a multi-account environment, following AWS best practices. Using AWS Control Tower allows cloud administrators to set up automated landing zones using effective strategies that encompass a multi-account structure, centrally managing user identities, and federated access with single sign-on (SSO). Establishing guardrails for security, operations, and compliance helps organisations prevent the provisioning or access of non-conforming resources while continuously monitoring for non-compliant resources.
Begin with a solid governance foundation
Here are three ways to build a solid governance foundation to ensure proper access, controls, and separation of duties when consuming cloud resources:
- Devise a strategy that best suits your organisation with proper infrastructure accounts for networking services.
- Evaluate different IT services to offer a structure that is in congress with the operation teams.
- Reserve the security OU for various security activities and services and is established as read-only. Security tooling, central logging, break-glass access, and security auditing are a few examples of services reserved for the security OU.
Aligning operational units with workloads
After establishing your governance foundation through AWS Control Tower and AWS Organisations, create OUs aligned with the development and operation of your workloads instead of your IT organisational structure. This workload-centric approach does not preclude you from considering your RACI model when building out OUs for production and non-production workloads and planning how your users will interface with other applications and the cloud infrastructure.
Defining an ongoing strategy
When working with our clients, we typically define a strategy for building additional OUs by collaborating with key business and technical stakeholders to analyse use cases with existing services and upcoming initiatives. Understanding how AWS services operate and interact is an important part of the development process while transitioning to the cloud.
One way to accomplish this is to create an isolated sandbox environment for testing and validation of cloud controls before implementing them in development and production workloads to ensure they work as expected. A sandbox OU structure will allow users to experiment with AWS services and development strategies to leverage new technologies. Here, SCP controls can be established to control cost, network isolation, and resource overuse.
Depending on the size and complexity of your organisation, there are various approaches to implement and maintain your AWS organisation. You may need a consistent way to test out new SCPs for existing OUs and contain suspended and disabled AWS accounts and exceptions for services that are not classified within an existing OU.
Continuing on your cloud journey
Your organisation (regardless of size) can establish cloud stability and scalability once you establish a proper governance foundation. This includes leveraging AWS Control Tower and Organisations for consistent account creation, implementing SCP policies to create boundaries for services, and centralising identity management for appropriate access to workloads.
At Credera, we’ve helped our clients by assessing their existing workloads and processes to provide a roadmap to a well-architected environment. They can now focus more on service delivery and less on day-to-day maintenance.
How we can help
Credera is passionate about helping organisations foster cloud enablement that drives successful cloud adoption and valuable business outcomes. Our unique expertise in corporate strategy, innovation, and application development enables us to bring a holistic approach to your cloud adoption journey. To find out more, please get in touch with a member of our team.
AWS Cloud Governance Part 3: Compliance, security, & cost management
AWS Cloud Governance Part 4: Monitoring and observability
AWS Cloud Governance Part 1: Three keys to starting your AWS governance journey