Monolithic accounts considered harmful

jordangrimmer.artstation.com Monolithic accounts considered harmful Ben Whaley @iAmTheWhaley AWS Community
Day Bay Area

The monolithic account looms, threatening the security, manageability, and scalability
of entire organizations

VPCs, peering connections, and security groups proliferate IAM policies grow
like vines through the ashes of good intentions An EC2 Classic node huddles in a corner of us-west-1, weeping

An acrid haze blurs the billing statement. Mysterious and unexpected
costs are incurred in unfamiliar regions Administrators, architects, and security minded do-gooders watch helplessly as the account smolders in ruin

Fortunately, the multi-account security strategy offers a better way

Bask in the warm light of AWS Organizations Compartmentalization limits
blast radius Federated cross-account access with single sign-on/IdP Enforce security baselines Per account cost attribution

Identity account strategy VPC Peering Production Identity Account SAML authentication
via IdP AWS Console, API access Command & Control Development VPC Peering AssumeRole

Account creation 1. CreateAccount() - Creates an AWS account (asynchronously)
that is automatically a member of the organization whose credentials made the request. { "Email": "[email protected]", "AccountName": "Production Account" } 2. DescribeCreateAccountStatus() - Retrieves the current status of an asynchronous request to create an account. 3. AssumeRole(OrganizationAccountAccessRole) - Assume permissions in the new account. 4. Run CloudFormation templates to create standardized roles, complete trusted advisor steps, conﬁgure CloudTrail, etc 5. Set up MFA and root password 6. Add alternate contacts

management eu-west-1 10.20.0.0/16 Dev us-west-2 172.21.0.0/16 Staging us-west-2 172.22.0.0/16 Prod
us-west-2 172.23.0.0/16 Dev eu-west-1 10.21.0.0/16 Staging eu-west-1 10.22.0.0/16 Prod eu-west-1 10.23.0.0/16 C&C Development Production management us-west-2 172.20.0.0/16

Tips & Tools 1. Firefox Multi-Account Container + AWS Extend
Switch Roles add-ons 2. github.com/Versent/saml2aws for temporary API credentials 3. github.com/cloudtools/stacker for consistent cross-account roles, network conﬁguration 4. Use Lambda to export CloudWatch logs 5. Build and share AMIs centrally 6. Cross-account CloudWatch metrics

Challenges and limitations 1. Complexity and account sprawl 2. No
cross-region security group ID references 3. Avoiding IP range clashes 4. Limitations of Service Control Policies 5. One hour expiration for credentials obtained via role chaining 6. Tools and services still catching up with multi-account support

Ben Whaley @iAmTheWhaley Thanks for listening

Monolithic accounts considered harmful

Monolithic accounts considered harmful

Ben Whaley

More Decks by Ben Whaley

Other Decks in Technology

Featured

Transcript

jordangrimmer.artstation.com Monolithic accounts considered harmful Ben Whaley @iAmTheWhaley AWS Community

The monolithic account looms, threatening the security, manageability, and scalability

VPCs, peering connections, and security groups proliferate IAM policies grow

An acrid haze blurs the billing statement. Mysterious and unexpected

Fortunately, the multi-account security strategy offers a better way

Bask in the warm light of AWS Organizations Compartmentalization limits

Identity account strategy VPC Peering Production Identity Account SAML authentication

Account creation 1. CreateAccount() - Creates an AWS account (asynchronously)

management eu-west-1 10.20.0.0/16 Dev us-west-2 172.21.0.0/16 Staging us-west-2 172.22.0.0/16 Prod

Tips & Tools 1. Firefox Multi-Account Container + AWS Extend

Demo

Challenges and limitations 1. Complexity and account sprawl 2. No

Ben Whaley @iAmTheWhaley Thanks for listening