accounts core - cirelledo-csa/herd GitHub Wiki
Core service accounts in AWS
Core shared services accounts will host core services (maintained by cloud services teams) that support product teams/groups and their products. The core service accounts are Organization, Logging, Network, Shared Services and Security, see below FAQS for details of what each core service provides.
Core service account FAQs
Who are the cloud services teams and what do they do?
- The teams that maintain the core AWS services that support our organization.
- Be nice to them, they can save your bacon.
What products and services do the cloud services teams provide?
What do our core services look like? Something like this:
Will we have a dedicated Log archive account?
- Yes
What services run in a Log archive account?
- global audit trail organization cloudtrail
- global configuration state config aggregator
TBD other logs from cloudwatch, app, s3, load balancer, waf, etc
What services run in a Network account?
- Connect Virtual Private Clouds (VPCs) and on-premises networks to a single transit gateway
- Dedicated network connection from our data centers to AWS with direct connect
- Configure and manage firewall rules across our accounts and applications with firewall manager
- Central delegated route 53 root level hosted zones
Will we have a dedicated Organization Master Account?
- Yes
What services run in Organization Master account?
- master payer
- billing service
- The fewer service running in master organization account the better
Will we have a dedicated Security account?
- Yes
What is a Security Account?
An account maintained by the cloud services teams and dedicated to the security of all accounts in the org. Security account(s) will need to be able to run native AWS security services and access security related resources in all accounts of our AWS organization. This may also require access for tools the security teams uses that may run outside AWS.
What are (some of) the Security services?
Generally anything listed under the Security, Identity, & Compliance set of services:
- Security, Identity, & Compliance
- IAM
- Resource Access Manager
- Cognito
- Secrets Manager
- GuardDuty
- Inspector
- Amazon Macie
- AWS Single Sign-On
- Certificate Manager
- Key Management Service
- CloudHSM
- Directory Service
- WAF & Shield
- AWS Firewall Manager
- Artifact
- Security Hub
- Detective
Here are some choices we'll start with:
- The security team can choose how to partition these services in different accounts. eg IAM in a dedicated shared service account separate from the Security account.
- The security team may want to delegate some of these services, eg IAM or KMS.
- Securely control access to AWS resources with IAM
- Continuously monitor for malicious activity and unauthorized behavior to protect our AWS accounts and workloads with guard duty
- Analyze, investigate, and quickly identify root causes of potential security issues or suspicious activities with detective
- TBD machine learning to automatically discover, classify, and protect sensitive data in AWS macie
- Comprehensive view of our security state in AWS with security hub aggregation
- Shared AWS resources within our AWS Organization with resource access manager
- ** Web Application Firewall, Sheild and Firewall Manager ** https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html
Will we have a dedicated Shared services account?
TBD
Will we use AWS Organizations Service to manage our multi-account strategy?
- Yes. We have a plan for that here
How and when will we create accounts?
- product teams can request 1 development account with a name teamnameDev.
- non development accounts are created as needed by the cloud services teams in response to requests for services, eg deploy a test or production version of a product.
- New accounts shall be requested through this form.
Account conventions and services
Accounts come with certain default configurations
Certificates
- ACM should be used as needed to create certificates for use with AWS infrastructure (eg load balancers)
Wild Card Certificates
- wild card ACM certificates for anything.$accountname.$roothostedzone are for convenience to allow product teams to create non production endpoints without having to allocate certificates for each application environment prior to production. Product certs must have a valid cert for $product.fqdn
DNS
- The cloud services team manages root level hosted zones in a central AWS network account.
- The cloud services team will allocate delegated hosted zones of the form $accountname.$roothostedzone.
- The central hosted zone is responsible for managing the propagation of NS records for $accountname.$roothostedzone back to $roothostedzone
Tags
Useful tags should be deployed, cf tagging strategy Consider the use of a namespace if you have a tag standard you want, eg mytags: so that you can isolate mytags from yourtags.
-
Minimum account level tagging requirement:
-
Team
WARNING: team stewardship of accounts is mandatory and non negotiable, we do not support orphaned accounts with no team ownership
Billing
- Cost containment is a shared responsibility and therefore everyone's concern.
- Look at the Billing and think about how to reduce cost.
- Create a billing alert that notifies account product owners when they're likely to overspend.
- Tags should be in place to evaluate cost per product, team, env, etc.
- Set a budget and know what you're spending!
CloudTrail
- Cloudtrail must be enabled in all regions and shipped with checksums to a central S3 audit bucket.
Security
- Security is a shared responsibility and therefore everyone's concern. Account tenants should consult these services and see what they have to say about the accounts you use.
- Security Hub in a core security account.
- Guard Duty in a core security account.
- Detective (preview) in a core security account.
Trusted Advisor
- Consult Trusted Advisor. This is where you can see service limits. Ops should have a global view of service limits and capacity. Devs should know their service limits.
- Trusted Advisor does more at higher support levels. What is the value of trusted advisor at higher support levels?
Support
- Operations has a strong preference for business level support on any product account
- Architecture encourages that support cases be created prior to production
- We will evaluate use of support as compared to cost. We may choose to remove support where it isn't useful if the risk of the additional overhead of changing support level in an account is acceptable (you need root to change support level)
- Cloud services and product teams will collaborate to determine the appropriate support level for each account. NOTE: Support is like voting - use Support early and often. There is a significant cost to useful support (business level) so consider the value it brings to an account. Generally dev accounts are the place where support is most useful. Support can be turned on a la carte in an emergency provided we have an efficient root access mechanism. Alternatively we should consider enterprise support to have a uniform support model. This should be a data driven decision instead of fud driven decision.
Extra Undetermined Stuff
How do we control service level limits
TBD, would like to see self service of service limit with some approval process.
What information is required for an account?
- A budget
- Support level
- Account contacts
- Team Name
What additional information is required for a product account?
- Product Name
- Product Owner
How will we name account aliases?
accounts are named after the team or product and environment, eg:
- acmeLogs could be the alias for the account that the acme team uses to host logging function
- incrediblesDev could be the dev account for the incredibles team
- killerApp could be the account for the killer app product.
- Team environments are Build, Dev and Test and should be limited to these as the postfix to their account name/alias.
- Product owners should choose Product and Team names with a preference for brevity.
NOTE: account name and account alias should be the same
What are the required account contacts?
- Root owner - name and email, alias is best
- Billing- name and email, alias is best
- Operations - name and email, alias is best
- Security - name and email, alias is best
- Team owner - name and email, alias is best
- (For product accounts) Product owner - name and email, alias is best
What are the required account contacts for?
[ ] TBD, please define
What is an Organization Master Account?
An account maintained by the cloud services teams and dedicated to the control and governance of all accounts in the org.
What is a product?
A useful service or application
How do we decide who does what and in which account?
- Well architected products require a move away from manual operation to automation which will require a change in the way we operate. This is the way
NOTE this won't happen overnight but it's a set of habits we should adopt over time. Sooner rather than later.
Will there be a process to amend this document?
TBD
How will this document be managed?
TBD
Where will this document be hosted?
TBD
Who owns this document?
- Cloud Committee or CCOE ?
What is a Log archive account?
An account maintained by the cloud services teams and dedicated to the aggregation of logs and meta data from every account in the org. It may be used as the data source to provide insight to security, operational or product teams.
What is a Network Account?
An account maintained by the cloud services teams and dedicated to network support services for accounts in the Org
What is a Shared Services Account?
An account maintained by the cloud services teams and dedicated to providing supporting services for other accounts in the org.
What services run in a Shared Services account?
-
view and control virtual machines with Systems Manager
-
centrally manage access to multiple AWS accounts and business applications and provide users with single sign-on access to all their assigned accounts and applications from one place with SSO
-
maintain consistent tags with tag policies
-
manage and automate tasks on large numbers of resources at one time with resource groups
-
view and manage our quotas from a central location with service quotas
-
manage catalogs of IT services approved for use on AWS with service catalog
-
share AWS resources within our AWS Organization with resource access manager
-
The cloud services teams and Cloud Committee/CCOE will determine the optimal distribution of core services to provide value to products, product owners and product teams. **NOTE the distribution and allocation of core services could be split into more refined accounts, eg maybe IAM/SSO/AD are grouped in one account dedicated to iam type services while systems manager and resource groups are in another account as they relate to ec2.