How to organize Cloud accounts
The Rule: Create a Cloud account for each major use case your organization operates in the Cloud.
This guide shows how to organize a large organization’s Cloud accounts to deliver changes and operate safely. Tailor this to fit your needs and feel free to contact us with questions.
Organize Cloud Accounts by Use CaseLet’s start with use cases shared across the organization, then examine those for running end-user applications.
Enterprise Use Cases
There are several use cases every Enterprise must support in their Cloud deployment (green). Provision accounts for:
The Security account contains the organization’s Cloud API activity logs (CloudTrail) and resource configuration inventory (Config). Ingest these logs into log search tools in the Shared Services account.
Operate monitoring, logging, DNS, directory, and security tools in a Shared Services account. Collect telemetry from the cloud provider, your infrastructure, and your applications running in other accounts. People with high privileges in other accounts may use this data and services, but should not be able to modify operational telemetry.
The Delivery account operates the powerful CI/CD systems that build applications and manage infrastructure. Operating CI/CD in a dedicated account simplifies securing that function.
Runtime Use Cases
Organize Cloud Accounts by Business UnitMost organizations have multiple business units. Provisioning Runtime accounts for each business unit decouples decision making and access management between business units. This provides the freedom necessary for business units to get their jobs done with minimal coordination. Recognize these choices will guide relationships between people and services within the enterprise going forward. Autonomy
Architecture, team structure, deployment, and operational practices that do the work to deliver applications vary across business units. Recognizing and accepting differences helps business units coexist and adopt the Cloud in harmony instead of battling over standards.Security and Safety
IAM users, roles, and policies are scoped to an account. Consequently, an engineer or application in one business unit can use resources without affecting another business unit. This limits risk of security compromises, too. An attacker with a foothold in one business unit cannot automatically access another. Cross-account access can be enabled, but must be done so explicitly.Cost Management
Tracking and managing AWS operational costs at the business unit level will be very easy in both AWS and third-party Cloud cost management tooling.
Organize Cloud Accounts by Delivery Phase
Most organizations have multiple phases of application delivery. Condense environments by purpose and deploy each environment into a separate account: dev, stage, and prod.Autonomy
Application development teams can deploy changes and get feedback rapidly without fear of breaking downstream environments, particularly production.Security and Safety
Varying a person’s permissions by delivery phase is straightforward when each phase has its own account. An IAM user or role in the dev account won’t automatically get the same permissions in stage or prod. This simplifies giving the right level of access to data and operations at each phase of delivery. Deleting databases may be ok in dev, but almost never in prod.Partitioning accounts by delivery phase also demarcates audit boundaries and keeps non-prod out of scope. Cost Management
Partitioning by phase helps you understand how money is spent on each environment and set resource usage limits appropriately.
Organize Cloud accounts to support the distinct use cases, structure, and delivery processes of your organization. Partition use cases by account to create safe boundaries for activities and data that enable your organization to move quickly and safely.
Please contact us and we’ll be happy to answer any questions you may have.