Cloud Architecture

How to organize Cloud accounts

 

The most fundamental tool to organize and protect Cloud resources are accounts: AWS accounts, GCP projects, and Azure Subscriptions. Cloud accounts are architectural elements that create management, fault, and security boundaries. But many organizations do not use them properly, which puts the organization and its customers at risk.

The Rule:  Create a Cloud account for each major use case your organization operates in the Cloud.

This guide shows how to organize a large organization’s Cloud accounts to deliver changes and operate safely. Tailor this to fit your needs and feel free to contact us with questions.

Partition Accounts by Use Case

Let’s start with use cases shared across the organization, then examine those for running end-user applications.

Enterprise Use Cases

There are several use cases every Enterprise must support in their Cloud deployment (green). Provision accounts for:

Security
The Security account contains the organization’s Cloud API activity logs (CloudTrail) and resource configuration inventory (Config). Ingest these logs into log search tools in the Shared Services account.

Shared Services
Operate monitoring, logging, DNS, directory, and security tools in a Shared Services account. Collect telemetry from the cloud provider, your infrastructure, and your applications running in other accounts. People with high privileges in other accounts may use this data and services, but should not be able to modify operational telemetry.

Delivery
The Delivery account operates the powerful CI/CD systems that build applications and manage infrastructure. Operating CI/CD in a dedicated account simplifies securing that function.

Runtime Use Cases

Create ‘Runtime’ accounts for each business unit to develop, test, and operate their applications (blue).  Optionally create accounts for sandbox and disaster recovery.  Let’s see how this structure influences autonomy, security, and cost.

Partition by Business Unit

Most organizations have multiple business units. Provisioning Runtime accounts for each business unit decouples decision making and access management between business units.  This provides the freedom necessary for business units to get their jobs done with minimal coordination.  Recognize these choices will guide relationships between people and services within the enterprise going forward.

Autonomy

Architecture, team structure, deployment, and operational practices that do the work to deliver applications vary across business units. Recognizing and accepting differences helps business units coexist and adopt the Cloud in harmony instead of battling over standards.

Security and Safety

IAM users, roles, and policies are scoped to an account.  Consequently, an engineer or application in one business unit can use resources without affecting another business unit.  This limits risk of security compromises, too.  An attacker with a foothold in one business unit cannot automatically access another.  Cross-account access can be enabled, but must be done so explicitly.

Cost Management

Tracking and managing AWS operational costs at the business unit level will be very easy in both AWS and third-party Cloud cost management tooling.

Partition by Delivery Phase

Most organizations have multiple phases of application delivery.  Condense environments by purpose and deploy each environment into a separate account: dev, stage, and prod.

Autonomy

Application development teams can deploy changes and get feedback rapidly without fear of breaking downstream environments, particularly production.

Security and Safety

Varying a person’s permissions by delivery phase is straightforward when each phase has its own account.  An IAM user or role in the dev account won’t automatically get the same permissions in stage or prod. This simplifies giving the right level of access to data and operations at each phase of delivery.  Deleting databases may be ok in dev, but almost never in prod.

Partitioning accounts by delivery phase also demarcates audit boundaries and keeps non-prod out of scope.

Cost Management

Partitioning by phase helps you understand how money is spent on each environment and set resource usage limits appropriately.

Summary

Organize Cloud accounts to support the distinct use cases, structure, and delivery processes of your organization. Partition use cases by account to create safe boundaries for activities and data that enable your organization to move quickly and safely.

Contact Us

Please contact us and we’ll be happy to answer any questions you may have.