Please enable JavaScript.
Coggle requires JavaScript to display documents.
Multi Account Management - Coggle Diagram
Multi Account Management
requirements
administrative isolation
limited visibility of workloads
minimize blast radius
strong isolation of recovery and auditing data
separate billing
Tools
AWS Organisations
Control Policies
restricts accounts to certain actions
Tagging
Resource Groups
Consolidated billing
Identity Account Structure
Can manage all user accounts in one location
Users trust relationship from IAM roles in subaccounts
because of: Business Unit, Deployment, Geography
Logging Account Structure
Centralized logging repo
can be secured to be immutable by subaccounts
Can use service control Policies (SCP) to prevent sub account to change
Publishing Account Structure
Common repo for AMI, Code, Containers
Permits sub accounts to use pre approved services or assets
Information Security Account
hybrid of mixing security and logging
central point of control and audit
logs are immutable for sub account users
Central IT Account Structure
manage IAM users and groups
provide shared services
provide standard assets (ami, database, ebs) that adhere to corporate policies
Service Control Policies --> cascade down the tree
means affects all sub accounts