Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
AWS Certified Developer Associate Certification and Beyond

You're reading from   AWS Certified Developer Associate Certification and Beyond A comprehensive guide to help you succeed in the AWS DVA-C02 certification exam

Arrow left icon
Product type Paperback
Published in Jul 2024
Publisher Packt
ISBN-13 9781801819299
Length 710 pages
Edition 1st Edition
Arrow right icon
Authors (2):
Arrow left icon
Rajesh Daswani Rajesh Daswani
Author Profile Icon Rajesh Daswani
Rajesh Daswani
Dorian Richard Dorian Richard
Author Profile Icon Dorian Richard
Dorian Richard
Arrow right icon
View More author details
Toc

Table of Contents (19) Chapters Close

Preface 1. Chapter 1: Introduction to AWS Accounts and Global Infrastructure FREE CHAPTER 2. Chapter 2: Securing Access with AWS Identity and Access Management 3. Chapter 3: Understanding Object Storage with Amazon S3, Hybrid Storage, and Static Website Hosting 4. Chapter 4: Building Private Networks in the Cloud with Amazon VPC 5. Chapter 5: Understanding AWS Compute Services with Amazon EC2 and Storage Options 6. Chapter 6: Managing Multiple Datasets with AWS Relational and Non-Relational (NoSQL) Databases 7. Chapter 7: Building Application Solutions with High Availability, Elasticity, and Data Security 8. Chapter 8: Event-Driven Computing with AWS Lambda and Securing Access to Backend APIs with Amazon API Gateway 9. Chapter 9: Incorporating Edge Network Services to Connect to Your Application with Amazon CloudFront and Route 53 10. Chapter 10: Designing Deployment Strategies with AWS Elastic Beanstalk 11. Chapter 11: Deploying a Multi-Tier Application Stack with Amazon ECS, Fargate, and EKS 12. Chapter 12: Getting to Grips with DevOps Using AWS CI/CD Tools 13. Chapter 13: Building Infrastructure Using Code with CloudFormation and the Cloud Development Kit (CDK) 14. Chapter 14: Designing Serverless Applications with AWS Serverless Application Model (SAM) and AWS AppSync 15. Chapter 15: Decoupling the Application Stack and Managing Data Ingestion 16. Chapter 16: Monitoring with Amazon CloudWatch and AWS CloudTrail 17. Chapter 17: Accessing the Online Practice Resources 18. Other Books You May Enjoy

When One AWS Account Is Not Enough

While hosting all your different applications, workloads, and environments in a single account is possible, this can easily become difficult to manage. Each application requires a different environment to support the various stages of its lifecycle, such as development, testing, and production. Hosting multiple environments for multiple applications in a single account is possible, but this can quickly turn complicated. This complexity arises for various reasons, including the need to ensure separation and isolation of workloads and environments for security reasons or budget and cost allocation.

Furthermore, hosting all your application workloads and environments in a single AWS account increases the risk of significant mishaps, which could wipe out all your applications and their different stages of development.

Having a separate account for development, testing, and production and one (or multiple) separate account(s) for experimental workloads makes sense. As depicted in Figure 1.2, any adverse events in the sandbox (experimental) account will not affect workloads in the other accounts.

Figure 1.2 – AWS Organization – limiting the blast radius of major disasters

Figure 1.2 – AWS Organization – limiting the blast radius of major disasters

AWS highly recommends adopting a multi-account strategy and provides specific services to help build and manage such multiple accounts. In the following subsection, you’ll get to understand how AWS Organizations enable the secure and efficient management of multiple AWS accounts.

Introducing AWS Organizations

You can create several AWS accounts to help you separate different workloads or application life cycles. However, you need a mechanism to secure and manage them. You also need to define policies and permissions in the form of guardrails that allow you to specify what services can be consumed in each account, what resources can be deployed, and even what regions those accounts can deploy applications in. This ensures that you adhere to strict compliance and regulatory requirements for your industry and helps you meet corporate governance and management.

The AWS Organizations service is the ultimate tool to help you effectively provision and manage multiple AWS accounts. To set up AWS Organizations, you must designate an AWS account as the management account. This account hosts the actual AWS Organizations service for your business. You can then invite existing accounts or create additional AWS accounts that will become member accounts of the organization.

You can also have multiple member accounts in your AWS organization, where some share similar workloads or functions. For example, you may have multiple development accounts or multiple production accounts. These logical groups of accounts may share similar security requirements as well. To effectively manage these groups, you can create Organization Units (OUs), logical containers that club members’ accounts within the AWS Organization that share common workloads. So, for example, as depicted in the following diagram, we have three different OUs. Within each OU, you can place the relevant AWS accounts and apply policies and permissions that the members of the OU may share in the organization, as shown in Figure 1.3:

Figure 1.3 – AWS Organizations with OUs and SCPs

Figure 1.3 – AWS Organizations with OUs and SCPs

The number of AWS accounts required for your business is not a fixed quantity. It varies based on several factors including the functional needs of your business, the complexity of workloads, and the specific security and compliance requirements your business must adhere to. Often, you have some shared services accounts, too – for example, a separate identities account that can be used to centrally manage users (usually representing your colleagues or technical staff) and define the permissions on what they can do in your member accounts. Using a process known as cross-account access or single sign-on (SSO), discussed in Chapter 2, Securing Access with AWS Identity and Access Management, Federation, and Amazon Cognito, you will learn how these users can switch roles into other AWS accounts within your organization and carry out various job functions.

In the next subsection, we look at service control policies, a mechanism to enforce rules in how your AWS accounts are used, what services can be consumed, and even which regions you can access.

Service Control Policies (SCPs)

As depicted in Figure 1.2, you can apply SCPs that act as guardrails on what services can be consumed in each AWS account. SCPs are policy documents written in JavaScript Object Notation (JSON) format, and they enable you to define what type of resources can be deployed in your AWS account and what actions can be performed against those services. SCPs can also restrict which regions those accounts can provision resources in. The guardrails are designed to help ensure that only approved services can be accessed in your AWS accounts.

Note

SCPs do not define what individual users can do in your AWS account. They define the maximum permissions administrators can assign to those users and what actions against AWS services are permitted.

The AWS Identify and Access Management (IAM) service is then used to assign those permitted permissions to those individual users. We will look at the IAM service in greater detail in the next chapter.

SCPs are disabled when setting up AWS Organizations. When you enable them, a default SCP policy called FullAWSAccess is attached to the root and applied to any OUs and AWS accounts in the organization.

Note

You can also apply a policy at the account level.

SCPs follow a deny-by-default design. So, unless permission is defined to allow a specific action at all levels from the root, through OUs, and to the accounts in its path, it will be denied. When you first enable SCPs, the FullAWSAccess policy is applied at all levels from the root, through OUs, and, finally, directly to accounts; there are no restrictions to any services or actions you can perform in your AWS accounts. You should then strategically plan and apply your policies to align with your corporate requirements.

If you detach the FullAWSAccess policy from a specific OU or account, you must ensure that you replace it with a policy that specifies the services you want to access and the actions you wish to perform. Otherwise, you cannot perform any actions in the account.

If you apply a deny permission at any level in the path of the account – that is, if you apply it at the root or the OU that contains the account – then the deny rule will override any conflicting allow permission.

In the following diagram, Figure 1.4, you will note two different configurations. In configuration A, permission to perform an action is applied at all levels, which results in the permission being allowed in Account B. However, in configuration B, permission to perform an action is being denied at the OU level, specifically applied to the Production OU. This results in the permission being denied in Account B, even though there is an explicit Allow rule being applied to this account. This is because a deny rule will always override an allow rule. Furthermore, allow permissions must be explicitly defined at all levels as the default rule is to deny the action.

Figure 1.4 – Comparing allow and deny rules for SCPs

Figure 1.4 – Comparing allow and deny rules for SCPs

SCP policies can have multiple statements with allow and deny permissions. This makes it easy to draft and apply a single policy with both allow and deny permissions to an OU and account.

For example, you can attach the following policy to an OU (or member account). This would result in being able to perform all actions against all services except Amazon S3:

{
    "Version": "2012-10-17",
    "Statement": [
     {
            "Sid": "AllowsAllActions",
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*"
        },
        {
            "Sid": "DenyAmazonS3", 
            "Effect": "Deny",
            "Action": "S3:*",
            "Resource": "*"
        }
    ]
}

It’s perfectly fine if the structure of the policy seems a bit complex at this point; you’ll delve into the details of JSON policy documents in the upcoming chapter.

With AWS Organizations, you can also manage the costs associated with your AWS accounts more effectively using the Consolidated Billing feature, which is included as part of the service. The management account is responsible for charges incurred by individual member accounts, and you are provided with a consolidated view of those charges. One of the key benefits of this feature is volume discounts. By combining the costs across your accounts, you can get discounts when your total charges cross certain volume discount thresholds.

Furthermore, you can use AWS Organizations to share certain resources across your member accounts. For example, you may wish to share certain network resources, such as VPC subnets, or share reserve instances purchased across member accounts. VPC subnets are further discussed in Chapter 4, Building Private Networks in the Cloud with Amazon VPC.

This section analyzed the use case for architecting a multi-account strategy on AWS. We also looked at how to centrally create and manage multiple AWS accounts and apply SCPs to establish guardrails on what services can be consumed in those accounts. By now, it is evident that meticulous preparation is essential before starting your cloud journey with AWS, incorporating security best practices, and enforcing corporate governance.

In the next section, we look at another AWS service that allows you to set up and manage multiple AWS accounts following recommended guidelines and build landing zones.

AWS Control Tower

As discussed, planning and creating a multi-account strategy for your AWS journey will enable you to ensure higher levels of security, governance, compliance, and cost efficiency. However, building a multi-account environment can become very complex and time-consuming. You need to decide how many AWS accounts you will need, whether certain accounts will be used for internal shared services, and how many environments you will need to cater to.

AWS offers tools to help you build multi-account environments that follow best practices and adhere to well-architected principles using AWS Landing Zone. These blueprints will help design and architect a multi-account deployment, offering IAM, governance, data security, and audit logging capabilities.

To help automate the deployment of multiple accounts using these recommended blueprints, AWS offers a service known as AWS Control Tower. This service can automatically implement your landing zone to include the following:

  • Your AWS Organizations and any member accounts for your various workloads and environments
  • An IAM service that offers AWS SSO default directory services
  • Account federation using SSO
  • Centralized logging using AWS CloudTrail and AWS Config

Using AWS Control Tower, you can also select pre-packaged governance rules for security, operations, and compliance and apply them to the entire enterprise or specific groups of accounts.

The AWS Control Tower service also has a dashboard feature enabling you to view your AWS environment. Using the dashboard, you can see the various OUs and accounts provisioned and the number of guardrails defined and applied to the various OUs and accounts.

In this section, we looked at how you can automate the design and implementation of your multi-account strategy using AWS-recommended blueprints that adhere to its well-architecting principles.

In the next section, we will have a look at the options available to access your AWS account(s).

You have been reading a chapter from
AWS Certified Developer Associate Certification and Beyond
Published in: Jul 2024
Publisher: Packt
ISBN-13: 9781801819299
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime
Banner background image