What is the proper way to organize my public cloud resources and administer access to them?

I feel like of the big 3 public cloud providers, this question is most difficult to answer for AWS.

Difficult to answer, but not impossible. The detailed best practice whitepaper below covers the response to this question for AWS in depth.

Organizing Your AWS Environment

GCP and Azure have management constructs that are a bit more user friendly and require far less effort to deploy than what is available in AWS to implement the concepts below:

  • Delegation of access for a single identity to multiple separate accounts.
  • Policy enforcement across multiple accounts.
  • Centralized logging in a multi AWS account setting utilizing AWS orgs.

These are just a few examples of best practice concepts that should be properly planned for and deployed within an AWS account.

AWS also has tools and templates to help orchestrate the deployment of these concepts while adhearing to best practices (such as AWS Control Tower for greenfield deployments).

Conclusion

Deploying best practice configurations/concepts to properly govern and monitor an AWS environment isn’t the simplest task (especially in a multi account scenario), but the proper constructs/controls do exist to make it happen.

One question that I would like to leave you with is:

Do you see the extra effort required to properly orchestrate and govern an AWS multi account environment as a pro or con? And Why?