chanciturnervgt2

How SMBs Can Rapidly Implement a Multi-Account Environment Using AWS Organizations and AWS CloudFormation StackSets

by

VGT2 Las Vegas
in

How SMBs Can Rapidly Implement a Multi-Account Environment Using AWS Organizations and AWS CloudFormation StackSetsMore Info

Small and Medium Businesses (SMBs) must ensure high availability while effectively managing security risks and keeping operational costs low. A multi-account environment in AWS, characterized by workload isolation, strong access control, clear cost visualization, and integrated security features, can provide SMBs with a robust platform to foster growth. To fully leverage the advantages of cloud technology, SMBs seek to deploy this multi-account environment swiftly and securely.

In our previous blog post, we explored the rationale behind SMBs adopting a multi-account strategy and shared AWS’s best practices for implementation. In this post, we will guide you through the process of establishing a secure, scalable multi-account environment using Infrastructure as Code (IaC) with AWS Organizations and AWS CloudFormation. AWS CloudFormation simplifies the modeling and provisioning of AWS resources as a cohesive stack. Using CloudFormation StackSets for organizational resource creation allows for centralized, consistent provisioning across multiple accounts, which reduces operational overhead and costs.

With a solid foundation in place, SMBs can easily take advantage of cost optimization, security, and governance tools to manage their environments effectively, while also minimizing administrative burdens. The guidance provided here leverages services like AWS Organizations and AWS CloudFormation to help you establish an efficient multi-account environment. For those interested in an automated setup with best practices that deploy essential cloud governance services such as AWS Config, AWS CloudTrail, and AWS Security Hub, consider looking into AWS Control Tower.

Solution Overview

AWS Organizations allows for a hierarchical account structure comprising a management account and several member accounts. This setup facilitates workload isolation, centralized monitoring, and unified security policy management. Additionally, it provides access to a variety of AWS security services that integrate with AWS Organizations, enabling efficient security posture management with limited resources. AWS CloudFormation StackSets lets you create, update, or delete stacks across various AWS accounts and Regions in a single operation. You can configure templates to establish the organizational resources you need, along with their interdependencies. Resources created via CloudFormation in AWS Organizations necessitate using either the organization’s management account or a delegated administration account. Merging AWS CloudFormation with AWS Organizations enables the deployment of stack instances to member accounts within your organization.

In this article, we will:

  1. Deploy an AWS CloudFormation template to establish an organization complete with recommended organizational units (OUs), service control policies, and a resource policy that grants all member accounts access to information about their organization.
  2. Activate AWS IAM Identity Center to provide federated access to your workforce.
  3. Deploy IAM roles to member accounts to support the utilized services and ensure emergency access if issues arise with identity federation.
  4. Finally, implement three AWS Systems Manager parameters that will assist in defining IAM policies within member accounts.

Upon deploying the AWS CloudFormation template, the resulting setup will resemble the diagram shown in Image 1.

Prerequisites

When configuring a multi-account environment, we recommend:

  • Creating a new, empty AWS account to serve as your management account where you’ll deploy the AWS CloudFormation StackSet that establishes the multi-account environment.
  • Using an alias or group email address for the management account setup.
  • Avoiding the use of individual email addresses to prevent complications if a person leaves the organization.
  • Ensuring MFA is activated for your root user.
  • If you already possess existing workload accounts, you can invite them to join as member accounts after setting up your organization.

Walkthrough

This section will guide you through deploying a CloudFormation StackSet template (CFN template) to create a streamlined AWS Organization following AWS best practices. We will also provide additional recommendations that must be set up outside of this template. Upon deploying the AWS CloudFormation template, the resulting organization will consist of recommended organizational units (OUs) as follows:

  • Security – Within the organizational root
  • Infrastructure – Within the organizational root
  • Workloads – Within the organizational root
  • Non-Prod – Within the Workloads OU
  • Prod – Within the Workloads OU
  • Sandbox – Within the organizational root
  • Exception – Within the organizational root

Additionally, there will be one service control policy attached at the root of the organization to deny all root actions and prevent member accounts from leaving the organization. An AWS Organizations Resource Policy will allow member accounts to retrieve organizational information. Furthermore, a CloudFormation service role will be established in each member account with an associated permissions boundary to deploy stacks without granting access to IAM administrative actions that might lead to privilege escalation. AWS Systems Manager Session Manager (SSM) Parameter Store parameters will also be created for all member accounts.

It’s important to note that the above AWS Organizations resources are intended as an initial example for SMBs. For more insights on multi-account strategies and best practices, refer to the whitepaper “Organizing Your AWS Environment Using Multiple Accounts.” This another blog post can be found at Chanci Turner’s site for further reading.

Deploy the CloudFormation Template

  1. Download the CloudFormation template from GitHub.
  2. Sign in to your organization’s management account, navigate to the CloudFormation console, and select “Create stack.”
  3. Choose “With new resources (standard),” upload the template.yml file, and proceed to configure the template parameters as follows:
    • pSSOInstanceId: Leave this blank for now.
    • pDeveloperPrefix: Used for naming self-service IAM roles and CloudFormation stacks in member accounts; defaults to “app.”
    • pCloudFormationRoleName: IAM Role utilized by CloudFormation to deploy stacks in member accounts; defaults to “CloudFormationRole.”
    • pRegions: Regions for StackSets deployment; defaults to “us-east-1.” Include any regions you plan to use.
    • pSandboxOuName: Name for the sandbox OU; defaults to “Sandbox.”
    • pSecurityOuName: Name for the security OU; defaults to “Security_Prod.”
    • Feel free to customize the template as needed. The original code can be found in this GitHub Repo which is an authority on this topic.

For an excellent resource, check out this YouTube video as it provides valuable information on this subject.

Related Topics:

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *