118. The landing zone: Managing multiple AWS accounts

Подписаться 3,1 тыс.

50% 1

In this episode, we provide an introductory overview of AWS's best practices for managing infrastructure using multiple accounts under an organization. We discuss the advantages of this approach and how to get started creating your own multi-account environment, or "landing zone".
💰 SPONSORS 💰
AWS Bites is brought to you by fourTheorem, an AWS Partner that does CLOUD stuff well, including helping you set up your AWS organisation! If that’s something you are looking for, go to fourtheorem.com to read more about us and to get in touch!
🔖 Chapters:
00:00 Intro
01:24 What is a Landing Zone?
01:58 The advantages of having multiple AWS accounts
07:10 What are the benefits for an individual who isn't leveraging AWS extensively?
10:06 How to organise AWS accounts effectively?
14:54 AWS Services and tools that you can use to set up your organisation (AWS Organizations, IAM Identity Center, and Control Tower)
18:12 Tools to manage accounts and organisations using Infrastructure as Code (IaC)
22:56 Tools to get temporary programmatic access (Granted, Leapp, CloudGlance, etc)
24:38 Summary and wrap up
In this episode, we mentioned the following resources:
- AWS Definition of Landing Zone: docs.aws.amazon.com/prescript...
- Series of articles "Managing AWS accounts like a PRO": fourtheorem.com/managing-aws-...
- AWS Organizations service: docs.aws.amazon.com/organizat...
- IAM Identity Center service: docs.aws.amazon.com/singlesig...
- Control Tower: docs.aws.amazon.com/controlto...
- org-formation: github.com/org-formation/org-...
- Our previous episode "AWS Governance and landing zone with Control Tower, OrgFormation and Terraform": awsbites.com/96-aws-governanc...
- granted.dev: granted.dev
- AWS SSO util: github.com/benkehoe/aws-sso-util
- Leapp: www.leapp.cloud/
- Cloud Glance: cloudglance.dev/
You can listen to AWS Bites wherever you get your podcasts:
- Apple Podcasts: podcasts.apple.com/us/podcast...
- Spotify: open.spotify.com/show/3Lh7Pzq...
- Google: podcasts.google.com/feed/aHR0...
- Breaker: www.breaker.audio/aws-bites
- RSS: anchor.fm/s/6a3312a0/podcast/rss
Do you have any AWS questions you would like us to address?
Leave a comment here or connect with us on X, formerly Twitter:
- / eoins
- / loige
#AWS #organization #security #IAM #login #credentials #landingzone

Наука

Опубликовано:

25 июн 2024

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 4

3 месяца назад

Very informative episode. ADF (Amazon Deployment Framework) is another interesting framework for creating and managing accounts. It has drawbacks (like not using CKD v1 and being released slowly) but can be integrated with Control Tower and you can define and create pipelines in the CICD account.

@AWSBites 3 месяца назад

Great addition, thanks! We haven't come across ADF in the wild but we'll definitely keep an eye on its progress.

@SonOfSofaman 3 месяца назад

Another great episode, as always. Thanks for sharing your knowledge. You mentioned using email aliases (using "plus" notation) to satisfy the distinct email address requirement for each account. It occurred to me that if the inbox to which all the aliases are associated were compromised, an attacker would have a list of every account in the org including each account's unique email address. Enabling MFA on every account is a no-brainer, and ideally the email inbox should have MFA enabled as well, but it does feel like putting all your eggs in one basket. Maintaining multiple distinct email inboxes is certainly a lot of work, but maybe it's worth it? Or is MFA sufficient protection?

@AWSBites 3 месяца назад

Good question! Like you say, root account MFA is essential. I guess if the management account root email was compromised, you'd be in a similar situation anyway. I would go for the simplicity of email aliases. It's very difficult to do account creation automation (Account Factory) and enforce a unique primary email inbox for each account.