Study Guide: Multi-Account Strategy
In the modern cloud landscape, a single AWS account is rarely enough. Organizations need a way to manage hundreds of accounts while maintaining security, compliance, and cost oversight. AWS Organizations provides the underlying infrastructure for account grouping, while AWS Control Tower offers a managed “Landing Zone” to orchestrate these services automatically.
The Analogy: Think of AWS Organizations as the legal structure of a massive Shopping Mall. The Mall Management (Management Account) provides the electricity, security, and leasing rules. Each store is an individual AWS Account. AWS Control Tower is like a “Turnkey Franchise Kit”—it ensures that every new store opened in the mall automatically has the right shelves, security cameras, and fire exits installed according to corporate standards before the first customer walks in.
Core Concepts & Well-Architected Framework
Applying the AWS Well-Architected Framework lenses:
- Security: Use Service Control Policies (SCPs) to set permission guardrails. Isolate workloads (Dev, Test, Prod) into separate accounts to minimize the blast radius.
- Reliability: Control Tower automates the setup of a “Landing Zone,” ensuring consistent configurations across the entire environment.
- Cost Optimization: Consolidated Billing allows you to combine usage across all accounts to achieve volume discounts (e.g., S3 storage tiers and EC2 Reserved Instance sharing).
- Operational Excellence: Centralized logging (CloudTrail/Config) into a dedicated “Log Archive” account ensures auditability.
Service Comparison: Organizations vs. Control Tower
| Feature | AWS Organizations | AWS Control Tower |
|---|---|---|
| Purpose | Account grouping and policy (SCP) management. | Governance framework to set up and manage a Landing Zone. |
| Ease of Use | Manual configuration of OUs and policies. | Automated, wizard-based setup of best practices. |
| Guardrails | SCPs only (Preventative). | Preventative (SCPs) AND Detective (AWS Config). |
| Account Provisioning | Manual or via API. | Account Factory (Service Catalog based). |
Scenario-Based Decision Matrix
- IF you need to prevent any account in an OU from deleting CloudTrail logs… THEN use an SCP (Service Control Policy).
- IF you need to share a VPC Subnet or Transit Gateway across accounts… THEN use AWS Resource Access Manager (RAM).
- IF you want to automatically provision new accounts with pre-defined network baselines… THEN use Control Tower Account Factory.
- IF you need to see which account is spending the most… THEN use AWS Cost Explorer with Consolidated Billing.
Exam Tips: Golden Nuggets
- The Master (Management) Account is NOT restricted by SCPs. Always keep this account restricted to billing and administrative tasks only.
- SCPs are “Filters”: They do not grant permissions; they define the maximum available permissions. An IAM user still needs an IAM policy to perform actions.
- Consolidated Billing: All accounts in the Org are treated as one for volume pricing discounts. You can disable RI/Savings Plan sharing if needed.
- CloudTrail: For the exam, remember that an Organization Trail ensures logs from all member accounts are sent to a single S3 bucket in a central account.
Infographic: The Multi-Account Hierarchy
Visual hierarchy of Organizations: Management Account → OUs → Member Accounts with SCP enforcement.
Key Services
- Service Control Policies: JSON policies that specify the maximum permissions for an organization.
- AWS RAM: Securely share resources like Subnets and License Manager configurations.
- CloudTrail: Enable “All Accounts” logging to a central S3 bucket.
Common Pitfalls
- No Default Deny: SCPs have a default “Allow-All” policy. You must explicitly add “Deny” or modify the “Allow” to restrict access.
- Root User: SCPs do not affect the root user of the Management Account.
- Tagging: Forgetting to enforce tagging via Tag Policies.
Quick Patterns
- Centralized Logging: Use Control Tower to set up a dedicated Log Archive account.
- Shared Services: Create a “Shared Services” OU for common tools like AD, CI/CD, and Scanners.
- Sandbox Accounts: Use SCPs to limit Sandbox accounts to small instance sizes only.