Organizations that are heavy users of AWS often battle to maintain a supervision amid a wealth of corporate accounts. Most times, companies will have business rules, policies, and processes to single out various constituencies across the business. One way to streamline such a widespread and diverse base of public cloud users is to execute multiple cloud accounts which assigns one account to each primary usage group where users, service permissions, billing and other facets of the account might differ significantly from other groups. Using multiple smaller accounts has many benefits, including easier portability if any firm opts to migrate to a different cloud, quick comebacks to security breaches by detecting and isolating that account etc.
Control Tower is a service devised to aid organizations in AWS multi-account management within AWS cloud environments. Amazon added AWS Control Tower to address such issues and give admins the ability to manage multiple cloud accounts through one interface. It offers a very straightforward approach to set up and govern an AWS multi-account environment.
AWS Control Tower provides an effortless way called a landing zone for this purpose following all regulatory best practices. AWS Control Tower orchestrates the capacities of various other AWS services, including AWS Organizations, AWS Service Catalog, and AWS Single Sign-on, to build a landing zone. AWS Control Tower also establishes blueprints, which are policies a company’s accounts must stick to. The blueprints encapsulate workflows and best practices for identity and access management, security, monitoring, logging and so on. AWS customers can implement AWS Control Tower, extend authority into new or existing accounts, and gain visibility into their compliance status quickly. If you are building a new AWS environment, starting out on your journey to AWS or starting a new cloud initiative, Control Tower will help you get started quickly with governance and best practices built in.
AWS Control Tower has the following features:
- Landing zone – A landing zone is a well-architected, multi-account environment that is based on security and compliance best practices A landing zone can scale to fit the needs of an enterprise of any size.
- Guardrails – A guardrail is a high-level rule that provides ongoing governance for your entire AWS environment. Three categories of guidance apply to the two kinds (preventive and detective) Guardrails: Mandatory, Strongly recommended, or Elective.
- Account Factory – An Account Factory is a configurable account template that helps to standardize the provisioning of new accounts with pre-approved account configurations.
- Dashboard – The dashboard offers continuous oversight of your landing zone to your team of central cloud administrators.
Although a Control Tower can be the best answer for organizations that struggle to manage multiple cloud accounts, it is vital to understand the service’s limitations and let’s look at some best practices for multi-account management in AWS.
LIMITATIONS OF AWS CONTROL TOWER
Although the premise of AWS Control Tower is convincing, the service has notable constraints.
The primary concern is the overall requirement for new accounts. AWS Control Tower does not support existing accounts or sub-accounts presently, so companies that already use AWS will have to create/ re-create accounts from scratch to handle them through the Control Tower.
Each AWS service enforces its own usage limits — or quotas, as AWS calls them. There are also functional quotas in memory, timeouts, space allocated to environment variables, space for policies, burst concurrency, invocation frequency, payload size and more.
Some Amazon cloud services, or settings may not be fully compatible with AWS Control Tower, like AWS Organizations. Admins can establish permission guardrails in AWS Organizations, (Organizational Unit) OU’s created outside of any the service will not be supported by Control Tower. Thus, pre-existing OUs are not supported in AWS Control Tower.
One of the best approaches to implementing the AWS Control Tower is to start small with new account deployments and build your service use over time. It is not necessarily applicable for existing, large multi-account deployments.
MULTI-ACCOUNT BEST PRACTICES
Despite such management challenges, there are still significant best practices that can help to facilitate multi-account environments in Amazon’s cloud.
Selecting regions carefully
When consolidating multiple accounts through a tool such as AWS Control Tower, the selection of a “home” region is particularly important since the accounts generated through the tool will be created within the selected region. Since not every cloud service from amazon is available in all regions, it is better to create accounts in the regions where all services and resources required to deploy a workload is available. Creating accounts in multiple regions is also useful so that resources and workloads can be deployed closer to users.
Refine resources
Organizations that use and manage multiple account users and managers find it frustrating that resources and services available in one account might not be available in other accounts. It is the responsibility of the account admin to allow access to all the resources required to support the services and workloads under an account once its created. This reduces costs and limits attack vectors. It is vital to communicate those parameters to users of each account.
Some businesses choose to standardize a minimum suite of services to institute a common foundation of resources for all accounts, but the onus is on the account owners to outline what is or is not available.