Which of the following are the best practices when using AWS organizations?
As you adopt AWS and start growing your business’s needs there comes a point where fitting all your workloads in a single AWS account becomes confusing and harder to manage as time goes by. Show
Later on, you see the need to add more AWS accounts to make a distinction between your workloads like having separate accounts for Testing, Staging, and Production. You’ll notice that managing users, security, and compliance becomes harder when you have multiple accounts. AWS Organizations solves this problem by allowing you to centrally manage and control 100s of AWS accounts efficiently from a single interface. This guide will explain what AWS Organizations is and how you can set it up yourself using the best practices. Table of Contents 1What is AWS Organizations?AWS Organizations is an account management service that allows you to centrally manage multiple AWS accounts. It enables you to better meet budgetary, security, and compliance needs as an administrator of an organization. Some of the features and benefits of using AWS Organizations include:
Sign up for a new AWS accountBefore we can begin with enabling AWS Organizations, we need an AWS account first. If you don’t have an AWS account yet, then you can sign up over here in the Note: if you already have an AWS account, please proceed with Add billing detailsOnce you’ve created the AWS account you’ll need to add the billing details on the page of the billing dashboard. Secure root userIt’s advisable not to use the root user in your AWS account because this user has full privileges to change payment details and delete accounts, etc. The best practice for doing administrative tasks on an AWS account is to start using IAM users or roles. IAM allows you to easily restrict and control your user’s permissions on the AWS account. But we can’t just throw away the root user, we need to secure it first using the following steps:
Then you can safely store that user in a password manager like 1password for example. Create an AWS Organization on the management accountTo start an AWS Organization, simply head over to AWS Organizations in the AWS console and press Create an organization Once you’ve created an AWS Organization you’ll see the organization structure in the AWS Organizations > AWS accounts page Enable all AWS Organization policiesAfter creating the AWS Organization you need to enable all the policies in the AWS Organizations > Policies page, so you can make effective use of all its features. The following policies are available:
Turn on tax inheritance for AWS billing in your AWS OrganizationTax inheritance allows you to configure tax settings once for the whole organization and consolidate it for all existing and new AWS accounts that join the organization. This effectively saves you time that you don’t have to spend doing administrative tax tasks when you create a new AWS account. To enable it, go to the and configure the tax settings first. Click on Manage tax registration in the top right corner to configure the customer’s tax settings. Follow the wizard and save the settings. By turning on tax inheritance, it will automatically fill in the tax settings for any new account that you create within an AWS Organization. Create an AWS account in AWS OrganizationsNow that we’ve enabled AWS Organizations and set up the required tax settings we can easily create new AWS accounts in the AWS Organizations dashboard by pressing the Add an AWS account button. You can proceed and fill in the account name and email address. Once you click the Create AWS account button it will proceed and create the account for you and add it to the root of your AWS Organization. As you can see once, the AWS account is created it will be visible on the AWS Organizations > AWS Accounts page in the AWS Console. Sign in to the newly created AWS accountIn the meantime, you’ll receive an automated email from Amazon stating that the new AWS account is ready. You can go ahead and activate it by going to the AWS Console sign-in page. Select sign-in as root using the email of the new AWS account you created and then follow up with the forgot password step. You’ll receive an email with a new password and then you can proceed to sign in. Once you’re signed in make sure to secure the new root account again by following the instructions as explained in the step Delete an AWS account in AWS OrganizationsDeleting an AWS account can be done from the AWS Organizations > AWS accounts page. Click on the account you wish to delete and press You’ll get a confirmation prompt to validate if you want to close the AWS account permanently. Check the boxes and click Close account Best practices for organizing AWS accounts in AWS OrganizationsNow that you know how you can set up AWS Organizations for your own accounts, it’s time to dive deeper and focus on setting up a correct structure that allows you to control your accounts in a more efficient and effective way. When you initially create an AWS Organization you start out with the root of that organization that holds all member AWS accounts. As a best practice, you’ll want to create a hierarchical structure and group similar accounts based on their function using Organizational Units (OUs). A typical medium size business that manages 10-30 AWS accounts can use an AWS Organization structure like the below: A few key takeaways:
ConclusionSimply put, AWS Organizations is a great way to consolidate multiple AWS accounts into a single organization that you can easily manage. It’s a bit complicated to get started at first, but if you plan ahead and followed this guide it can save you loads of time, energy, and money in the long run. If you followed this guide and you’re looking to add security to your OUs within your AWS Organization. Then it’s important to start using AWS Service Control Policies (SCPs). I’ve written a complete guide with example SCPS that’ll help you secure and maintain compliance with AWS accounts within the AWS Organization. AWS Organizations – FAQ
|