When it comes to AWS accounts, more tends to be better. Creating multiple accounts for the same organization offers a variety of benefits in areas such as resource isolation, team separation, and compliance management.
However, operating with multiple AWS also presents some steep challenges. Having a plan in place to manage those challenges is vital if you want to enjoy the advantages of a multi-account approach to AWS without struggling to handle tasks like backup and recovery, networking configuration, and IAM setup.
Keep reading for guidance on why to set up multiple AWS accounts, as well as how to conquer the challenges that come with a multi-account AWS strategy.
Understanding AWS accounts
Let’s begin by going over the basics of how accounts work in the Amazon Web Services (AWS) cloud and which types of organizational structures AWS supports for managing multiple accounts.
In AWS, an account is an entity that can create and manage cloud resources. By default, a single account can only control resources linked to that account. In other words, you can’t log in under one account and modify cloud resources owned by a different account.
AWS allows a business to create multiple accounts. Optionally, companies can organize multiple accounts into an Organizational Unit (OU), which is essentially a grouping of multiple accounts. Assigning accounts to an OU allows you to apply policies to all of the accounts at the OU level.
In addition, AWS supports a concept known as landing zones. A single landing zone can include multiple OUs and/or accounts. Landing zones are another way of centrally managing a multi-account environment. They enable more granular control over policy assignments than OUs alone.
For full details on how accounts work in AWS and which types of entities AWS supports for managing multiple accounts within the same organization, check out the documentation on the topic.
The benefits of multiple AWS accounts
There is no rule requiring organizations to create multiple AWS accounts. You can set up just one account and have all of your teams share it if you wish.
However, unless you have just a handful of employees who create and manage AWS resources, you’re likely to benefit from creating multiple AWS accounts. Having multiple accounts at your disposal opens the door to a range of advantages.
Isolation of resources
Perhaps the most obvious benefit of multiple AWS accounts is that you can isolate resources. This reduces the harm that a malicious user or compromised account could potentially cause. It also helps prevent accidental modification or deletion of resources by users who shouldn’t be able to access them.
For example, if you have two separate engineering teams who have no reason to access each other’s cloud resources, setting up separate accounts for each team ensures that the groups won’t disrupt each other’s operations.
Varying levels of security control
Creating multiple accounts allows you to define different security policies for different users or groups within your organization, based on their varying needs.
For instance, cloud resources owned by your finance department may contain more sensitive data, and therefore require tighter security controls, than resources managed by developers who are building and testing applications.
Granular compliance controls
Along similar lines, compliance mandates may affect different groups within your organization in different ways. For example, departments based in the European Union may face stricter compliance mandates due to the GDPR than units that operate in jurisdictions without comparable compliance rules. Here again, establishing multiple accounts makes it easier to ensure that each group is subject to the appropriate level of security and other controls.
Cost tracking
By default, AWS reports cloud billing data on a per-account basis. This means that if you have multiple accounts for different groups of users within your organization, you can easily track the cloud spending of each group.
There are other tools available for monitoring cloud costs, but breaking down costs at the account level is a simple way to get more granular billing insights than you’d have if everyone shared the same account.
Low-risk cloud testing
Having multiple accounts makes it possible to separate workloads that you are testing or experimenting on from those that need to be stable. For instance, by creating multiple AWS accounts – one for production and one for dev/test – your development team can set up an environment where it can test newly built applications prior to moving them into production.
To be sure, there are other ways to separate workloads on AWS, such as isolating them at the network level. You don’t necessarily need multiple accounts to keep production environments distinct from dev/test environments. But multiple accounts is one way to achieve that level of separation – and it’s a pretty easy and foolproof solution.
Here are 5 tips that can help you better manage and secure a multi-account AWS environment:
- Standardize and automate account creation processes: Create standardized templates using AWS CloudFormation or Terraform for launching new AWS accounts. This ensures consistency across your multi-account environment and reduces the risk of configuration drift.
- Isolate workloads with distinct VPCs per account: Assign a separate VPC for each account to isolate network traffic. This enhances security by limiting the blast radius of a potential compromise and allows for better control over network policies.
- Establish cross-account roles for secure access: Set up cross-account IAM roles to securely manage access between accounts. This approach is safer than sharing credentials and provides an audit trail for tracking which accounts accessed what resources.
- Implement cross-account backup with a DR strategy: Establish a cross-account backup strategy using N2WS to ensure that backups are securely stored in a separate account. This adds a layer of protection against account-level incidents, such as ransomware attacks or accidental deletion.
- Use tags for cost allocation and management: Implement a tagging strategy across all accounts to categorize resources by team, project, or environment. This aids in cost tracking, automation, and resource management, ensuring that you can accurately allocate costs and optimize spending.
The challenges of multiple AWS accounts
On the other hand, there can be downsides to maintaining multiple AWS accounts. The main challenges include:
- Data backup and recovery: Finding a way to back up and recover data from across multiple AWS accounts can be challenging. You need to find a way to back data up from all of your accounts. In some cases, you may also need to restore one account’s data under a different account (because, for example, the first account was hacked). These tasks can prove especially difficult if you’re using data protection tools that weren’t designed for multi-account scenarios.
- Managing network policies: In many cases, you’ll want to allow resources created under different accounts within AWS to interact, which requires a networking configuration that lets data move from one account to another. But you’ll also likely want to enforce some network isolation to keep the accounts from overlapping too much. As a result, managing networking under a multi-account strategy can be quite complex.
- IAM configuration: Along similar lines, configuring shared access to resources under different accounts requires complex Identity and Access Management (IAM) configuration. You need to write IAM policies that allow resources owned by one account to be accessed by other accounts. This is eminently doable, but it’s harder than managing IAM policies when every resource belongs to a single account.
In short, more accounts in AWS mean more problems, at least from the perspective of manageability.
Best practices for working with multiple accounts in AWS
As an AWS admin, your goal should be to ensure that the added complexity of managing multiple AWS accounts doesn’t outweigh the benefits that multiple accounts provide. The following best practices can help you achieve the best possible outcome.
Establish a coherent policy for setting up accounts
Organizations should set clear guidelines that define how and when they create new accounts. For instance, will you set up an account for each department within your company? Are there situations where individual employees may need their own accounts? Will some departments require multiple accounts – one for testing and one for production, for example?
The answers to these questions will vary depending on the nature of your organization and its business priorities. But no matter how you choose to define account creation rules, having a coherent plan in place is essential for avoiding creating accounts in a willy-nilly fashion that leaves some parts of your business with too few accounts and others with more than they need.
Create consistent and meaningful account names
When creating accounts, strive to make it obvious from the account name what the account’s purpose and scope is. That way, no one has to do research to figure out what an account is supposed to do when applying a configuration to it.
For instance, rather than creating accounts with names like dev1 and dev2, use terms like dev-testing and dev-production.
Automate multi-account management
You can structure multiple accounts into OUs and landing zones manually if you want. But to manage multiple accounts efficiently at scale, consider taking advantage of an automation tool, like Control Tower. Control Tower lets you set up and organize multiple accounts quickly, with built-in security, compliance, and other controls that you can easily apply based on the needs of each account.
Enable cross-account disaster recovery
As we mentioned, you may run into scenarios where data created or managed by one AWS account can no longer be deployed under that account due to incidents like a ransomware attack in which one account’s credentials were compromised. In that case, having the ability to perform cross-account disaster recovery is paramount.
Cross-account disaster recovery lets you automatically restore data owned by one account to an environment managed through a different account, allowing you to restore business operations quickly without having to pay ransoms.
Test multi-account disaster recovery
In addition to configuring multi-account backup and recovery tools, it’s a best practice to run disaster recovery drills involving multiple accounts on a regular basis. For example, rather than testing whether you can successfully recover just one account’s data using backups, simulate a scenario where you have to perform a cross-account recovery.
You could do this by setting up an account solely for disaster recovery testing purposes, and then attempting to restore another account’s data to the environment owned by the disaster recovery testing account.
Thriving with multiple AWS accounts using N2WS
The more accounts you maintain in AWS, the easier it is to separate resources and define granular controls. However, having more accounts also leads to more management complexity.
To mitigate this challenge, ensure that you have solutions in place in areas like account creation, account naming policies, and data backup and disaster recovery. When you do, you’re in a position to make the most of multiple accounts without allowing the complexity to drag down your organization.
N2WS empowers businesses to thrive when working with multiple AWS accounts. Our larger enterprises and MSPs know the benefits of managing all backup operations for many accounts under one single console. By having easy access to user friendly UI and multiple clients’ environments at the click of a button, they can easily build custom solutions based on their individual requirements. A reliable, consistent backup solution for multi client, multi AWS account and multi availablity zone not only protects their data under any cirmcumstance, but gives MSPs more revenue and opportunity.
N2WS also offers immediate and full proof ransomware protection using cross-account capabilities. If your account is indeed hacked or there is a big cloud provider blooper where your entire production account gets wiped (we have seen it happen), N2WS can spin up entire production environments as well as provide options like the ability to move backup data to cold storage to optimize costs – the icing on the cake.
Check it out for yourself by requesting a free trial.
Chris Tozzi
Chris, who has worked as a journalist and Linux systems administrator, is a freelance writer specializing in areas such as DevOps, cybersecurity, cloud computing, and AI and machine learning. He is also an adviser for Fixate IO, an adjunct research adviser for IDC, and a professor of IT and society at a polytechnic university in upstate New York.