- Newest
- Most votes
- Most comments
All the answers in the post are correct. One to add is that I apprecaite you have the CP certification, however with highly experienced and certified people like my self, an answer here wouldnt be enough to point you in the right direction as there is so much to think about.
I would recommend you engage with an Architect like myself to help you discuss and design from the ground up.
Hi,
The canonical way of organizing your account for the future is to read this wp about AWS Organizations (1 of the best AWS wp for me...): https://docs.aws.amazon.com/pdfs/whitepapers/latest/organizing-your-aws-environment/organizing-your-aws-environment.pdf
If you follow this guidance, you'll be future-proof for any scaling coming up in your company.
Best,
Didier
Thank you for taking the time to reply! I will make sure to go through this paper at the earliest occasion. Cheers
Based on your company's situation and AWS best practices, here's a recommended approach to organize your AWS resources:
-
Create a single AWS account to start with, which will serve as your management account. This account will be the root of your organization.
-
Use AWS Organizations to create and manage multiple accounts. This allows for better security, cost management, and resource isolation.
-
Create separate AWS accounts for each environment (development, production) and for each distinct application or solution. In your case:
- One account for the internal label-studio annotating tool
- One account for the Grafana/InfluxDB/AWS IoT solution (development)
- One account for the Grafana/InfluxDB/AWS IoT solution (production)
-
Group these accounts into Organizational Units (OUs) based on their purpose. For example:
- Internal Tools OU: Contains the label-studio account
- Client Solutions OU: Contains both dev and prod accounts for the Grafana solution
-
Within each account, create IAM users for each employee who needs access. Avoid using the root user for day-to-day operations.
-
Implement IAM groups based on job functions or roles, such as:
- DataScientists
- Developers
- Administrators
-
Create IAM roles with appropriate permissions for each group. Assign users to groups, and then assign the corresponding roles to those groups.
-
Use IAM policies to define fine-grained permissions for each role, following the principle of least privilege.
-
Implement cross-account access using IAM roles. This allows employees to access resources in different accounts without needing separate credentials for each account.
-
Use AWS Single Sign-On (SSO) to manage access across all your AWS accounts, making it easier for employees to switch between accounts as needed.
This approach provides a scalable and secure foundation for your AWS environment. It allows for proper isolation between applications and environments while still enabling collaboration among team members. As your company grows and adds more projects or employees, you can easily expand this structure by creating new accounts, OUs, or IAM entities as needed.
Remember to implement other best practices such as enabling multi-factor authentication (MFA) for all users, using strong password policies, and regularly reviewing and auditing access permissions.
Sources
7 Tips to Maximize Your New AWS Account for Small to Medium Businesses | AWS Cloud Operations Blog
Managing an organization with AWS Organizations - AWS Organizations
Organizing Your AWS Environment Using Multiple Accounts - Organizing Your AWS Environment Using Multiple Accounts
Community | AWS Cloud Account Fundamentals: Five Essential Best Practices for Managing Cloud Cost
Thank you so much for taking the time to write such a clear and detailed answer! It confirms what I had read here and there, but puts it in a more concise and step-by-step format.
AWS Security Reference Architecture : https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/welcome.html
Please consider segmentation between non-production and production workloads as well as between applications. While the ultimate best practice is to use separate AWS accounts since an AWS account provides resource boundaries, using separate subnets, IAM Roles/Users and resource tagging can be employed within a single account in order to create separation of duties and make it easier to audit. Tagging resources also lets you do detailed cost reporting.
Thanks for taking the time to reply Secur3Kat! I will read this article and take your advice into account. Cheers
Relevant content
- asked a year ago
- asked a year ago
- Accepted Answerasked a year ago
- AWS OFFICIALUpdated 9 months ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated 5 months ago
Agreed, you may need some architecture guidance. AWS Professional Services has an offering called Landing Zone Accelerator that provides assistance designing a new AWS environment. Many certified AWS partners offer similar services. https://aws.amazon.com/contact-us/sales-support-partners/ can help you identify a certified partner to help.
Thanks for taking the time to reply Gary! I am training to get the Solutions Architect Associate certification at the moment but they don't show many use cases so it's difficult to figure out how to piece up all these blocks. Adeleke's answer below seems to be matching best practices.