fbpx
Search
Close this search box.

Must-Know Tips for Success in Managing Multiple AWS Accounts

Multiple AWS Accounts
In terms of AWS accounts, more is definitely better. But with the caveat that challenges exist and need to be overcome. We provide guidance and must-have tips to optimize your multiple AWS accounts strategy.
Share This Post

When it comes to AWS accounts, more tends to be better. Creating multiple accounts for the same organization offers a variety of benefits in areas such as resource isolation, team separation, and compliance management.

However, operating with multiple AWS also presents some steep challenges. Having a plan in place to manage those challenges is vital if you want to enjoy the advantages of a multi-account approach to AWS without struggling to handle tasks like backup and recovery, networking configuration, and IAM setup.

Keep reading for guidance on why to set up multiple AWS accounts, as well as how to conquer the challenges that come with a multi-account AWS strategy.

Understanding AWS accounts

Let’s begin by going over the basics of how accounts work in the Amazon Web Services (AWS) cloud and which types of organizational structures AWS supports for managing multiple accounts.

In AWS, an account is an entity that can create and manage cloud resources. By default, a single account can only control resources linked to that account. In other words, you can’t log in under one account and modify cloud resources owned by a different account.

AWS allows a business to create multiple accounts. Optionally, companies can organize multiple accounts into an Organizational Unit (OU), which is essentially a grouping of multiple accounts. Assigning accounts to an OU allows you to apply policies to all of the accounts at the OU level.

In addition, AWS supports a concept known as landing zones. A single landing zone can include multiple OUs and/or accounts. Landing zones are another way of centrally managing a multi-account environment. They enable more granular control over policy assignments than OUs alone.

For full details on how accounts work in AWS and which types of entities AWS supports for managing multiple accounts within the same organization, check out the documentation on the topic.

The benefits of multiple AWS accounts

There is no rule requiring organizations to create multiple AWS accounts. You can set up just one account and have all of your teams share it if you wish.

However, unless you have just a handful of employees who create and manage AWS resources, you’re likely to benefit from creating multiple AWS accounts. Having multiple accounts at your disposal opens the door to a range of advantages.

Isolation of resources

Perhaps the most obvious benefit of multiple AWS accounts is that you can isolate resources. This reduces the harm that a malicious user or compromised account could potentially cause. It also helps prevent accidental modification or deletion of resources by users who shouldn’t be able to access them.

For example, if you have two separate engineering teams who have no reason to access each other’s cloud resources, setting up separate accounts for each team ensures that the groups won’t disrupt each other’s operations.

Varying levels of security control

Creating multiple accounts allows you to define different security policies for different users or groups within your organization, based on their varying needs.

For instance, cloud resources owned by your finance department may contain more sensitive data, and therefore require tighter security controls, than resources managed by developers who are building and testing applications.

Granular compliance controls

Along similar lines, compliance mandates may affect different groups within your organization in different ways. For example, departments based in the European Union may face stricter compliance mandates due to the GDPR than units that operate in jurisdictions without comparable compliance rules. Here again, establishing multiple accounts makes it easier to ensure that each group is subject to the appropriate level of security and other controls.

Cost tracking

By default, AWS reports cloud billing data on a per-account basis. This means that if you have multiple accounts for different groups of users within your organization, you can easily track the cloud spending of each group.

There are other tools available for monitoring cloud costs, but breaking down costs at the account level is a simple way to get more granular billing insights than you’d have if everyone shared the same account.

Low-risk cloud testing

Having multiple accounts makes it possible to separate workloads that you are testing or experimenting on from those that need to be stable. For instance, by creating multiple AWS accounts – one for production and one for dev/test – your development team can set up an environment where it can test newly built applications prior to moving them into production.

To be sure, there are other ways to separate workloads on AWS, such as isolating them at the network level. You don’t necessarily need multiple accounts to keep production environments distinct from dev/test environments. But multiple accounts is one way to achieve that level of separation – and it’s a pretty easy and foolproof solution.

Here are 5 tips that can help you better manage and secure a multi-account AWS environment:

Tips from the Expert
Picture of Chris Tozzi
Chris Tozzi
Chris Tozzi, who has worked as a journalist and Linux systems administrator, is a freelance writer specializing in areas such as DevOps, cybersecurity, cloud computing, and AI and machine learning. He is also an adviser for Fixate IO, an adjunct research adviser for IDC, and a professor of IT and society at a polytechnic university in upstate New York.

The challenges of multiple AWS accounts

On the other hand, there can be downsides to maintaining multiple AWS accounts. The main challenges include:

  • Data backup and recovery: Finding a way to back up and recover data from across multiple AWS accounts can be challenging. You need to find a way to back data up from all of your accounts. In some cases, you may also need to restore one account’s data under a different account (because, for example, the first account was hacked). These tasks can prove especially difficult if you’re using data protection tools that weren’t designed for multi-account scenarios.
  • Managing network policies: In many cases, you’ll want to allow resources created under different accounts within AWS to interact, which requires a networking configuration that lets data move from one account to another. But you’ll also likely want to enforce some network isolation to keep the accounts from overlapping too much. As a result, managing networking under a multi-account strategy can be quite complex.
  • IAM configuration: Along similar lines, configuring shared access to resources under different accounts requires complex Identity and Access Management (IAM) configuration. You need to write IAM policies that allow resources owned by one account to be accessed by other accounts. This is eminently doable, but it’s harder than managing IAM policies when every resource belongs to a single account.

In short, more accounts in AWS mean more problems, at least from the perspective of manageability.

Best practices for working with multiple accounts in AWS

As an AWS admin, your goal should be to ensure that the added complexity of managing multiple AWS accounts doesn’t outweigh the benefits that multiple accounts provide. The following best practices can help you achieve the best possible outcome.

Establish a coherent policy for setting up accounts

Organizations should set clear guidelines that define how and when they create new accounts. For instance, will you set up an account for each department within your company? Are there situations where individual employees may need their own accounts? Will some departments require multiple accounts – one for testing and one for production, for example?

The answers to these questions will vary depending on the nature of your organization and its business priorities. But no matter how you choose to define account creation rules, having a coherent plan in place is essential for avoiding creating accounts in a willy-nilly fashion that leaves some parts of your business with too few accounts and others with more than they need. 

Create consistent and meaningful account names

When creating accounts, strive to make it obvious from the account name what the account’s purpose and scope is. That way, no one has to do research to figure out what an account is supposed to do when applying a configuration to it.

For instance, rather than creating accounts with names like dev1 and dev2, use terms like dev-testing and dev-production.

Automate multi-account management

You can structure multiple accounts into OUs and landing zones manually if you want. But to manage multiple accounts efficiently at scale, consider taking advantage of an automation tool, like Control Tower. Control Tower lets you set up and organize multiple accounts quickly, with built-in security, compliance, and other controls that you can easily apply based on the needs of each account.

Enable cross-account disaster recovery

As we mentioned, you may run into scenarios where data created or managed by one AWS account can no longer be deployed under that account due to incidents like a ransomware attack in which one account’s credentials were compromised. In that case, having the ability to perform cross-account disaster recovery is paramount.

Cross-account disaster recovery lets you automatically restore data owned by one account to an environment managed through a different account, allowing you to restore business operations quickly without having to pay ransoms.

Test multi-account disaster recovery

In addition to configuring multi-account backup and recovery tools, it’s a best practice to run disaster recovery drills involving multiple accounts on a regular basis. For example, rather than testing whether you can successfully recover just one account’s data using backups, simulate a scenario where you have to perform a cross-account recovery.

You could do this by setting up an account solely for disaster recovery testing purposes, and then attempting to restore another account’s data to the environment owned by the disaster recovery testing account.

Thriving with multiple AWS accounts using N2WS

The more accounts you maintain in AWS, the easier it is to separate resources and define granular controls. However, having more accounts also leads to more management complexity.

To mitigate this challenge, ensure that you have solutions in place in areas like account creation, account naming policies, and data backup and disaster recovery. When you do, you’re in a position to make the most of multiple accounts without allowing the complexity to drag down your organization.

N2WS empowers businesses to thrive when working with multiple AWS accounts. Our larger enterprises and MSPs know the benefits of managing all backup operations for many accounts under one single console. By having easy access to user friendly UI and multiple clients’ environments at the click of a button, they can easily build custom solutions based on their individual requirements. A reliable, consistent backup solution for multi client, multi AWS account and multi availablity zone not only protects their data under any cirmcumstance, but gives MSPs more revenue and opportunity.

N2WS also offers immediate and full proof ransomware protection using cross-account capabilities. If your account is indeed hacked or there is a big cloud provider blooper where your entire production account gets wiped (we have seen it happen), N2WS can spin up entire production environments as well as provide options like the ability to move backup data to cold storage to optimize costs – the icing on the cake.
Check it out for yourself by requesting a free trial.

Picture of Chris Tozzi

Chris Tozzi

Chris, who has worked as a journalist and Linux systems administrator, is a freelance writer specializing in areas such as DevOps, cybersecurity, cloud computing, and AI and machine learning. He is also an adviser for Fixate IO, an adjunct research adviser for IDC, and a professor of IT and society at a polytechnic university in upstate New York.

All Posts
Next step

The easiest way to perform cross-cloud DR

Allowed us to save over $1 million in the management of AWS EBS snapshots...

N2WS vs AWS Backup

Why chose N2WS over AWS Backup? Find out the critical differences here.

N2WS in comparison to AWS Backup, offers a single console to manage backups across accounts or clouds. Here is a stylized screenshot of the N2WS dashboard.