AWS Account Strategy

The BILLION dollar account strategy my firm follows

hello avatars, here to talk today about AWS account strategy. This is an example of a higher level topic that junior and mid levels would even get to contribute to. This is an org level technology decision. Account structure can be a source of great efficiency or tech debt, just depends how well you designed the structure. My firm’s account structure follows the same principles. Messing account strategy up *will* cost your firm millions, i know because i messed our data lake up and we had to rebuild it.

AWS Account Strategy

AWS Organizations Primer

AWS Organizations is the service that makes having multiple accounts easy, and allows for some of the fancy hierarchy rules we can do. Each Organization has a root account with the ability for Organization Units (OUs) (think of a container for member accounts) and member accounts. This makes it easy to group accounts and apply service control policies to the accounts or OUs, which are IAM rules that can be applied at the account or OU level. OUs can also contain other OUs, so Nested OUs exist, but that is where things may get too complicated.

Turbo Note: root user permission cannot be decreased or diminished on aws accounts. UNLESS there is an SCP from the root account on a member account. In that case you could limit the permissions of the root account user on a member account. Tough interview question.

It is beneficial to group accounts into OUs based on function or requirements. That makes it more easy to apply SCPs and automated provisioning templates to accounts with similar needs.

Turbo Note: The default service quota for aws organizations is 10 accounts per Organization. Ive heard of this being raised to over 250, so no worries if you happen to be at a large enterprise.

There are some limited use cases where having multiple Organizations could make sense, however they are rare. I wouldnt worry about it, a single Organization is the default best practice recommended by AWS.

Why Use Multiple Accounts

First accounts are free, so no monetary consideration in terms to how many accounts you should have.

One of the primary underlying reason to have a multi-account strategy is to *facilitate automation*, and this manifests in different ways. Remember cloud makes financial sense because you can automate everything. Management wants to automate to save money and reduce risk. But here are all of the big reasons a multi account strategy is beneficial: