Nebulaworks Insight Content Card Background - Clem onojeghuo spiral architecture
Recent Updates
Advanced AWS Landing Zone Configuration: Multi-Account Strategies and Automation
Introduction
Building on the foundational setup of an AWS Landing Zone, this post explores advanced techniques for managing a multi-account AWS environment. These practices are crucial for larger organizations or those with complex compliance, security, and operational needs.
Multi-Account Strategy with AWS Organizations
AWS Organizations is an account management service that enables you to consolidate multiple AWS accounts into an organization that you create and centrally manage. It’s a cornerstone for implementing a multi-account strategy, allowing for better resource isolation, security, billing, and governance.
Setting up AWS Organizations
aws organizations create-organization --feature-set ALL
After creating your organization, you can create organizational units (OUs) to group accounts with similar requirements, and apply policies for governance and security at the OU level.
Implementing Service Control Policies (SCPs)
Service Control Policies (SCPs) are JSON policies that specify the maximum permissions for an account or an OU within an AWS Organization. SCPs help you to centrally control access to resources and services, ensuring compliance with your organization’s security policies.
Example SCP to Restrict Service Access
This SCP restricts members of the OU from accessing any services other than Amazon EC2, Amazon S3, and Amazon RDS.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:*",
"s3:*",
"rds:*"
],
"Resource": "*"
},
{
"Effect": "Deny",
"Action": "*",
"NotAction": [
"ec2:*",
"s3:*",
"rds:*"
],
"Resource": "*"
}
]
}
Automating Account Provisioning with Terraform
Automation is key to efficiently managing a multi-account setup. Below, we outline how to use Terraform to automate the creation of new accounts and apply configurations at scale.
Terraform Configuration for Account Creation
provider "aws" {
region = "us-east-1"
}
resource "aws_organizations_account" "account" {
name = "NewAccount"
email = "newaccount@example.com"
role_name = "OrganizationAccountAccessRole"
}
output "new_account_id" {
value = aws_organizations_account.account.id
}
This Terraform configuration creates a new AWS account within your organization and outputs the new account ID.
Automating Resource Provisioning Across Accounts
To automate resource provisioning across multiple accounts, you can use Terraform workspaces or modules, specifying the
provider for each account using the provider block and the assume_role attribute.
provider "aws" {
alias = "new_account"
region = "us-west-2"
assume_role {
role_arn = "arn:aws:iam::${var.new_account_id}:role/OrganizationAccountAccessRole"
}
}
module "new_account_vpc" {
source = "./modules/vpc"
providers = {
aws = aws.new_account
}
// Module parameters...
}
Conclusion
Expanding upon the foundational AWS Landing Zone setup, this post delves into the intricacies of a multi-account strategy, showcasing how AWS Organizations and SCPs can be utilized for effective governance and security. Additionally, we highlighted the power of infrastructure as code, particularly Terraform, in automating the provisioning of new accounts and resources, ensuring scalability and compliance across your AWS environment. As you progress, you’ll uncover more advanced techniques and best practices to tailor your AWS Landing Zone to the unique needs of your organization.
For more information on AWS Landing Zones, or to speak with us about how Nebulaworks can help you leverage AWS to drive business innovation, reach out to us
Looking for a partner with engineering prowess? We got you.
Learn how we've helped companies like yours.
