Is your enterprise workload deployed in single AWS account? Are you not using multi-account? Hurry up to rethink your AWS account strategy. Quick read

As organization started using AWS in earlier days, the most adopted method is using Single AWS account, i.e you create one root account with an email address to deploy your enterprise workload. Usually this used to be the IT Dept owner or similar owner who is accountable for the IT operations of an enterprise. It used to segregate departments and their projects in the organization using VPC subnets and setup required fencing using AWS NACLs. So, the setup used to be one single VPC and multiple subnets to run department workloads, this model most likely resembles on-premises workload placement strategy.

The above reference architecture represents single VPC with multiple subnets.

Multi VPC Strategy.

As the amount of workloads and usage of cloud services grown, the complexity to manage this architecture escalated, single VPC model failed to scale. Industry adopted multi VPC structure as a solution to overcome this problem.

Construct of Multi-VPC

• VPCs used to be created for each internal Dept or projects or environments (Prod, Dev and QA)
• VPC peering will be used to communicate with Central/Shared VPC where common infrastructure services like Active Directory, Domain Naming Services, Anti-Virus and other security services used to be (Anti-Spam, IPS, Third party firewalls ). VPC peering will be used between VPCs which needs direct communication like SAP production to QA environments for non-production refresh.

Multi-VPC scenario still had many caveats.

• IAM used to be shared between all VPCs in an account.
• Even though VPC are dedicated, all other AWS services used to be shared like S3, RDS etc…which still had the complexity on separation of duties.
• Service limitation used to be one of the major challengers in multi-VPC. Deployment of high number of EC2 in project 1 denies emergency EC2 deployment requirement of Project 2 , although soft limits can be lifted through service limit request. Still there would be a temporary blockage the project/departments, hard limit can still be a road blocker.
• Limitation on charge back . Billing segregation will be managed through Tags, however few billing components like Data Transfer/Egress charges, Route 53 Query charges etc could not be segregated hence there can be an incomplete charge backs.
• Large attack radius when exploited using non-VPC services like S3, RDS, etc.

Multi VPC will be the logical separation which still have limitation of scalability.

 Multi-Account

This is a solution for all the above captured caveats, which can be considered as Physical separation in Cloud. From last couple of years, AWS and most enterprises adopt multi-account strategy. AWS Landing Zone as well as Control Tower easy the design and deployment of Multi-account strategy.

While I could agree that multi-account will resolve challenges arose in Multi-VPC, do I really need to consider multi account for Simple and Single application? Although the answer can vary, the simplest answer will be “Yes”. Single account may solve the first line problems for simple applications, but the scalability would hit in future, considering all these, we should start with multi-account for even simple application.

AWS Landing Zone provides guiding principle and best practices for multi-account.

AWS Landing Zone will pave strong foundation with best practices like separate account for Shared services, Security services and Logging for your organization. AWS have also understood the complexity of multi account and rolled out services to manage them, let us detail them.

AWS Organization:- This services helps you centrally manage and govern your environment as you grow and scale your AWS resources. AWS Organizations is integrated with other AWS services so you can define central configurations, security mechanisms, audit requirements, and resource sharing across accounts in your organization.

  The above diagram depicts a detailed AWS Organization structure and relevant mapping of services based on the AWS account function. 

AWS Control Tower:- This solution can help save time by automating the set-up of an environment for running secure and scalable workloads while implementing an initial security baseline through the creation of core accounts and resources. It also provides a baseline environment to get started with a multi-account architecture, identity and access management, governance, data security, network design, and logging.

 Advantages of Multi-account

Freedom of choice:- You may decide to create separate AWS account for your internal departments or project wise. Strategy to have dedicated account would provide highest freedom for developers and application owners to test anything under the security controls of your organization.

Reduced blast radius: - Vulnerability attack on an account would not impact operation of other AWS accounts. Assume credentials from one of your accounts have compromised, only services and assets pertaining to that account have the potential to get hacked, services and assets from other accounts can function without any challenges.

Cross account access through AWS Organization can help to perform security takeover in the event of security hacks and perform forensic activities.

Easy implementation of regulatory compliance: - Suppose you have an application part of your stacks needs to adhere PCI-DSS compliance , you can implement strict controls for that account while relaxed security controls can be setup on other accounts. The overhead of managing compliance in a multi-application environment would be easy through multi-account. 

While above are advantages in multi-account there are certain operational challenges in this approach.

1. Identify and Access Management:- As the accounts increase, the authentication mechanism AWS IAM management will be complex. Your organization password policies need to be setup in each of the accounts which will be time consuming and efforts. This problem can be solved using Identify federation.

1.a Identify federation:- An enterprise many have existing Identify Mechanism like Microsoft Active Directory , LDAP , we should be leveraged to cloud as well. Cloud would act as identity consumer instead of setting up a new identify provider. AWS have integration capabilities with Microsoft Active , LDAP as well as other IDPs including Security Assertion Markup Language 2.0 (SAML 2.0), Open ID Connect (OIDC), and OAuth 2.0.

1.b AWS SSO:- AWS SSO makes it easy to centrally manage federated access to multiple AWS accounts and business applications and provide users with single sign-on access to all their assigned accounts and applications from one place. AWS SSO seamlessly leverages IAM permissions and policies for federated users and roles to help you manage federated access centrally across all AWS accounts in your AWS organization. With AWS SSO, you can assign permissions based on the group membership in your IdP’s directory, and then control the access for your users by simply modifying users and groups in the IdP.

2. Distributed security:- Since all accounts have dedicated Internet exit point(not a mandatory), implementing security to protect your workload will be complex. You have to implement security tools like Firewalls, IPS and other solutions in each of the accounts which would escalate the security solutions cost.

3. Transit Gateway:- AWS Transit Gateway is one of the solution to consolidate VPC together for data exchange. In our context, we should have all VPCs of an organization to attach to a Transit Gateway and share common network intercommunication channels like VPN and Direct connect. i.e You can have one single VPN to connect to your corporate network and attach to corporate AWS Transit Gateway where communication can be established to all accounts through this. This reduces complexity to have VPNs attached to VPC level.

VPCs can be from single account or discrete account.

4.Security Account:- One of the design recommendation by AWS Control Tower is to have a dedicated security account to run security solutions like URL filtering, Firewall, IPS, Data Leak Preventions in the central account and leverage the same security postures for all your workloads spread across multiple AWS accounts. This approach would reduce the cost of running a separate set of solution in each of the accounts. You could still implement stringent and non-stringent policies managed from the central security account.

The above one is the reference architecture on sharing Edge services (Network) and Security solutions in separate AWS account while leveraging this standard solution across all other AWS accounts.

Since there are many security solutions and native AWS security services, alert consolidations are critical to ensure you have will have the deeper knowledge of security events across your AWS accounts. Failure on Identifying security event can be potential security threat to the landscape.

AWS Security Hub:- AWS Security Hub gives you a comprehensive view of your security alerts and security posture across your AWS accounts. With Security Hub, you now have a single place that aggregates, organizes, and prioritizes your security alerts, or findings, from multiple AWS services, such as Amazon GuardDuty, Amazon Inspector, Amazon Macie, AWS Identity and Access Management (IAM) Access Analyzer, and AWS Firewall Manager, as well as from AWS Partner solutions.

AWS Firewall Manager:- Using AWS Firewall Manager, you can easily roll out AWS WAF rules for your Application Load Balancers, API Gateways, and Amazon CloudFront distributions. You can create AWS Shield Advanced protections for your Application Load Balancers, ELB Classic Load Balancers, Elastic IP Addresses and CloudFront distributions. You can also configure new Amazon Virtual Private Cloud (VPC) security groups and audit any existing VPC security groups for your Amazon EC2, Application Load Balancer (ALB) and ENI resource types. Finally, with AWS Firewall Manager, you can also centrally deploy AWS Network Firewalls across accounts and VPCs in your organization.

With all the above advantages, multi-account strategy is the best fit for the enterprise. AWS itself have many services mentioned above will reduce the complexity of multi-account and their respective operations challenges.

Start your design by leveraging AWS multi-account setup tools.