Untangle management account
0
I've inherited an AWS org that is a bit of a typical mess. The management account is also where the prod workloads are deployed.
Is there a way to enable this, perhaps creating a new account and re-casting it to be the new management account?
Moving resources is out of the question.
This seems like a common scenario I've already seen many times.
질문됨 한 달 전187회 조회
1개 답변
- 최신
- 최다 투표
- 가장 많은 댓글
0
Hi There
AWS best practice is to avoid running workloads in the management account. See https://docs.aws.amazon.com/organizations/latest/userguide/orgs_best-practices_mgmt-acct.html
Here's a high level overview of how to approach it:
- Create a new Org using AWS Control Tower, this way you get a clean Landing Zone with all of the AWS foundational best practices in place. See https://docs.aws.amazon.com/whitepapers/latest/organizing-your-aws-environment/basic-organization.html
- Invite the existing accounts to the new org
- AFter all of the child accounts have been moved, delete AWS Organizations and invite the existing Prod account to the new org as a child account.
Moving resources is out of the question.
Can you expand on this a bit?
But what happens with the billing and any secured discounts on the mgtm account?
I do not want to move any resources from one account to another.
BIlling- You will continue to get 2 bills until you bring the existing org management account into the new org. As soon as you bring the child accounts into the new org, billing becomes the responsibility of that management account.
Discounts- What discounts are you referring to? If these are discounts provided by your AWS Account team, your account manager will be able to cover this. If you are referring to savings plans/reserved instances, you can share these from any account. If you currently purchase these in the org management account, you should coordinate the movement of accounts with expiring plans, because you wont be able to move them to the new org without moving the account. The RI's and SP's stay with the account they are purchased in.