Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

Wrangling Multiple AWS Accounts with AWS Organizations

1 135 vues

Publié le

In this session we'll look at aspects affecting your account management before and after AWS Organizations, how AWS Organizations can programmatically create and manage your AWS accounts and apply organisational controls with familiar policies across these accounts to meet your business needs. We'll also cover best practices and troubleshooting tips to get you started.

Wrangling Multiple AWS Accounts with AWS Organizations

  1. 1. © 2017, Amazon Web Services, Inc. or its Affiliates, All rights reserved. Wrangling Multiple AWS Accounts with AWS Organisations Level 200 James Kingsmill, Geoscience Australia Blake Chism, AWS Professional Services
  2. 2. In this Session • How did we get here • Service overview • Best practices • Customer Use Case: Geoscience Australia
  3. 3. How Did We Get Here?
  4. 4. Users Groups/Resources Roles Policies Amazon S3 A AWS Account Overview
  5. 5. A Administrative Boundary Resources Containment Billing Entity Environmental Business Workload AWS Account Decisions
  6. 6. AWS Accounts, One to Many A W A W S A S W S A W A W W S S S A W S A A A W SWWS S A AW W A A
  7. 7. Service Overview
  8. 8. AWS Organisations • New management capability for centrally managing multiple AWS accounts - Simplified creation of new AWS accounts - Logically group AWS accounts for management convenience - Apply organisational control policies (OCP) - Simplified billing • Console, SDK, and CLI support for all management tasks
  9. 9. AWS Organisations A1 A2 A4 M Master Account / Administrative root Organisational Unit (OU) AWS Account Organisation Control Policy (OCP) AWS Resources A3 Dev Test Prod
  10. 10. AWS Organisations Create new AWS Organisations Accounts A5A1 A2 A4 M A3 Dev Test Prod -Email address (required) -Account name (required) -IAM role name (optional)
  11. 11. AWS Organisations A1 A2 A4 M A3 Dev Test Prod A5 Invite other AWS accounts to join your AWS Organisations
  12. 12. AWS Organisations A1 A2 A4 M A3 Dev Test Prod A5 B1 M
  13. 13. AWS Organisations A1 A2 A4 A Dev Test Prod A3
  14. 14. A3 AWS Organisations A1 A2 A4 A Dev Test Prod
  15. 15. OCP V1: Service Control Policies (SCPs) • Enables you to control which AWS service APIs are accessible - Define the list of APIs that are allowed – Whitelisting - Define the list of APIs that must be blocked – Blacklisting • Cannot be overridden by local administrator • Resultant permission on IAM user/role is the intersection between the SCP and assigned IAM permissions • Necessary but not sufficient • IAM policy simulator is SCP-aware
  16. 16. { "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "EC2:*","S3:*” ], "Resource":"*" } ] } { "Version":"2012-10-17", "Statement":[ { "Effect":”Deny", "Action":[ ”SQS:*” ], "Resource":"*" } ] } Whitelisting example Blacklisting example
  17. 17. SCPs are Necessary but not Sufficient SCP IAM Allow: S3:* Allow: SQS:* Allow: EC2:*Allow: EC2:*
  18. 18. Simplified Billing • Single payer for all AWS accounts • All AWS usage across AWS accounts in your organisation rolled up for volume pricing and billing • All existing consolidated billing (CB) families will be migrated to an organisation in billing mode
  19. 19. Different Management Levels You select the management level when creating a new organisation Billing mode • Backward-compatible with current consolidated billing (CB) • Organization created from CB family automatically in billing mode Full-control mode • Everything included in billing mode • Enables management of ALL types of OCPs • Changing from billing mode to full control mode requires consent from all AWS accounts in your organisation
  20. 20. James Kingsmill Cloud Enablement Team Geoscience Australia
  21. 21. Background 650 Staff Highly technical 40 AWS accounts 400% growth rate
  22. 22. How do we create new AWS accounts?
  23. 23. First you... Have a credit card
  24. 24. Then you... Have a credit card Have a unique group email address
  25. 25. And then... Have a credit card Have a unique group email address Enter contact details
  26. 26. More details... Have a credit card Have a unique group email address Enter contact details Enter payment details
  27. 27. Oh okay... Have a credit card Have a unique group email address Enter contact details Enter payment details Enter captcha
  28. 28. I just... Have a credit card Have a unique group email address Enter contact details Enter payment details Enter captcha Receive automated phone call
  29. 29. Losing the will to continue... Have a credit card Have a unique group email address Enter contact details Enter payment details Enter captcha Receive automated phone call Handshake consolidated billing account
  30. 30. ಠ_ಠ Have a credit card Have a unique group email address Enter contact details Enter payment details Enter captcha Receive automated phone call Handshake Consolidated Billing account Manage root credentials, including MFA
  31. 31. Solution Self-service AWS account creation
  32. 32. Solution Solution • API Gateway • Lambda • Amazon S3 static website • CloudFront • Terraform
  33. 33. Improvements Security
  34. 34. Improvements Security UX
  35. 35. Improvements Security UX Provisioning features
  36. 36. Best Practices
  37. 37. Best Practices – AWS Organizations • Monitor activity of the master account using CloudTrail • Do not manage resources in the master account • Manage your organization using the principal of “Least privilege” • Use OUs to assign controls • Test controls on single AWS account first • Only assign controls to root of organization if necessary • Avoid mixing “whitelisting” and “blacklisting” SCPs in organization • Create new AWS accounts for the right reasons • Familiarize yourself with service limits
  38. 38. • Reduce or remove use of root • Create Individual IAM Users • Configure a strong password policy • Enable MFA for privileged users • Grant least privilege • Manage permissions with groups • Rotate security credentials regularly • Use IAM roles to share access • Use IAM roles for Amazon EC2 instances • Monitor activity Best Practices – AWS IAM
  39. 39. Summary and Call to Action • Definitions: Account, User, Group, Policies, Resources • AWS Organization Service Overview • Best practices • Call to Action
  40. 40. © 2017, Amazon Web Services, Inc. or its Affiliates, All rights reserved. Thank you!

×