When an individual uses cloud platforms, they can use a single account for performing all their activities on the cloud. It may also be true for smaller enterprises with a handful of employees. But, for a larger enterprise, it would be easy to use and manage the cloud if the organizational structure of the enterprise can be replicated on the cloud account management service. The most important benefit is that the enterprise can put all its resources in a single place and yet segregate resources based on identified responsibility as well as functionality. AWS Organizations service orchestrates and manages multiple AWS accounts in terms of security policies, audit, and control, cloud service authorization, as well as consolidated billing.
AWS Organization consists of 4 key entities for replicating the organizational structure of an enterprise.
- Organization: It is the logical representation of the enterprise and owns all types of assets of an enterprise, such as the environments, network, services, policies, and accounts. It has a one-to-one relationship with the organization element and acts as the parent node for all other elements, such as the organization units and the accounts.
- Organization Unit: An OU is a representation of departments, business units, environments, and other types of segregations within an enterprise. It acts as a collection of other OU and accounts under the root element of the organization.
- Accounts: An account is an AWS resource that represents a user with a set of responsibilities and restrictions. It should not be confused with the login identity of the user that is issued and managed by the AWS Identity and Access Management (IAM) service. A single AWS account may contain multiple user accounts.
A typical AWS Organization set up
We consider an IT enterprise that consists of a higher management team, sales team, pre-sales team, project management team, business team, quality team, development team, implementation team, infrastructure team, operations team, support team, and security team. The IT enterprise implements solutions for their customers, that include systems integration and customization of one or more products. Each solution implementation goes through the cycle of customization, testing, and production.
The diagram below represents a typical setup of an organization. However, it is important to represent the segregation of different implementation projects and environments as well.
A development and implementation project requires different environments for development, testing, pre-production, and production. AWS Organization helps in replicating the exact logical structure on the AWS set up as well. It is the first step towards consolidating all environments on the cloud and yet maintaining their individual purpose.
The DevOps view
Apart from the Organization Units, AWS Organization also offers Accounts. In an operations environment, an account becomes synonymous with the user roles with a set of privileges. For clarity, an environment can be assigned multiple accounts under the realm of the DevOps team, such as Systems Admin, Database Admin, Application Admin, Developer, Operation Member, Support Member, and Others.
Multiple user accounts can be mapped to a single account under AWS Organization and each one of them inherits the same kind of security policies.
Use Cases
Apart from segregating the entire account set up according to their rules, what can be achieved using AWS Organization. Some key use cases are experienced by most IT development and implementation teams when their work products are running in production and being used by end-users.
Developer access to the Production environment
It is never a good idea to give access to the production environment to the development team. The risk includes manipulation of the production data for addressing an issue quickly or unplanned and untracked deployments directly in the production without the knowledge of the operations team.
With AWS Organization setup, both these concerns can be addressed cleanly. An account needs to be set up with developer privileges and restrictions, and user accounts to be assigned under it. All the users under the developer account would be able to connect to the allowed environments and yet they would be restricted to perform the activities desired of them. All this can be managed by simple configurations on the AWS Organization service.
DevOps Control over the environments
During critical releases, especially during hotfixes for showstopper issues, the implementation teams may want to forego certain mandatory quality checks so that the fixes are installed in the production faster. On the occasions of standard releases, once a work product is marked ready by the development team, it is expected to reach the users without any kind of procedural delays in the release process.
AWS Organization is extremely beneficial for the DevOps teams in maintaining clear segregation of responsibilities of activities performed by the different sub-groups of the team. It includes a clear separation of concern for activities such as OS patch upgrades, platform upgrades, vulnerability scans, penetration tests, performance tests, application security tests, application configuration, database changes, application releases, CICD build and configuration, resource monitoring, and more.
Management Team’s view of the entire process
Management teams are most concerned about the cost and utilization of the resources vis-à-vis the benefits derived out of them. The RACI (Responsibility-Accountability-Consulted-Informed) matrix defined by the management team can be configured with the help of the AWS Organization. This helps managers to ascertain the responsibilities and locate the problem areas within the team’s working easily. In cases of under-utilization and failures, it is easy to isolate the issues and challenges faced by the working teams and address them quickly.
After all, that is what the management team is expected to do and AWS Organization provides them with a direct view of how the AWS accounts are organized and who is accessing what services and for what purpose.