Productionise Multi AWS Accounts

The below Diagram shows my current Account structure

org-formation – Overview

Taken from github org-formation; AWS Organization Formation is an Infrastructure as Code (IaC) tool for AWS Organizations.

org-formation orchestrates CloudFormation and AWS Organizations for account creation and resource provisioning

Tasks / Features

Tasks files can be added to enable a variety of Automated features such as:

• OrganizationAccountAccessRole restrictions (SCPs)
• Budget Alarms
• AWS Access Key Rotation checks
• Enabling CloudTrail
• Centralising and Enabling Guard Duty
• Many IAM Configurations (Password Policy, force MFA)
• Many S3 Configurations (Prohibit Read & Write, Enable encryption)
• VPC Security Groups conform to (user-defined) ALLOW list

This feature list is what I intend to implement on my Accounts.
For the full list of available org-formation features, please refer to the 40mb pdf

FYI on Tooling Decision

Control Tower? Terraform? CloudFormation? org-formation? CDK?…

• It is not the purpose of this post to go into the detailed comparisons of these tools.

I am an AWS Architect at Version 1, I have experienced all of the above tools used to produce Landing Zones for Clients.

org-formation (DAPx)

One of the Version 1 DAPx Landing Zone Accelerators is built upon org-formation, I have used this for my Landing Zone.

• It is not the purpose of this post to sell DAPx, please message me if you would like to know more about DAPx,

The below diagram shows the Target Account structure that is aligned to the best practices & architecture detailed in the ‘LZs, Organizations, OUs and Multi-Account Environments blog’

Development Summary

org-formation is a highly flexible and powerful toolkit, to prevent content bloat I will provide only a few code/console snippets for key important featues.

IAM Role – Account/OU Access

Secure Defaults

Budget Alarms

GuardDuty

AWS Config

Centralised AWS Config in the Master Account, AWS Config has access to all member/child accounts.
The LogArchive Bucket is in the LogArchive Account, this has Access Restrictions and Cleardown Policies by-default
AWS Config Findings Alerts (inc SNS Topic by-default), All AWS Config Managed Rules are available to use

CloudTrail

SCPs

The below diagram shows the final Account Structure & AWS Services that have now been implemented

Cleanup on isle “Config Findings”

These Config Rule Alerts include:

• access-keys-rotated
• iam-password-policy
• root-account-mfa-enabled
• s3-bucket-server-side-encryption-enabled
• vpc-sg-open-only-to-authorized-ports

Once I have remediated these I will feel a lot better about the security of my AWS accounts!

Thank you for reading, constructive feedback is welcomed.

About The Author

Colin Willis is a Senior AWS Architect, Architecture and DevOps team lead at Version 1, working on design & delivery solutions for clients.

About Version 1

Version 1 is a leader in Enterprise Cloud services and was one of the first AWS Consulting Partners in Europe. We are an AWS Premier Partner and specialise in migrating and running complex enterprise workloads in Public Cloud. Version 1 is a leader in Enterprise Cloud services and was one of the first AWS Consulting Partners in Europe. We have a policy of continuous investment in technology solutions that benefit our customers and are in the small number Amazon Web Services Partners to have achieved advanced partner status. Our team works closely with AWS to help our customers navigate the rapidly changing world of IT.