BYTE the Cloud

Chris 0:00
Hey, cloud gurus, welcome back to the deep dive. Today we're going to do a deep dive into AWS Organizations. This is a service I'm sure that as mid level cloud engineers, you are at least encountering, if not using, in your daily cloud adventures. It's

Kelly 0:16
a service you really can't avoid, right? And especially for

Chris 0:19
those of you who are prepping for those AWS certification exams. This is definitely a service that you need to know, like

Kelly 0:27
the back of your hand. You need to know it inside and out absolutely it's gonna come up.

Chris 0:30
So we're gonna unpack all the nuances of AWS Organizations, talk about how it interacts with the rest of the AWS ecosystem, and hopefully give you some surprising insights that might just make you rethink how you're managing your cloud environments.

Kelly 0:44
I think one of the things that is surprising to people when they come to organizations is that it's almost like a meta service. It's a service that helps you manage your other services. So it's a little bit more abstract, but it's really the foundation, like we were talking about before, for a well architected multi account AWS environment. Yeah,

Chris 1:01
it's like the Glue that holds everything together, yeah? And it's something that you might not even realize is there until things start getting a little bit out of control, right? Especially

Kelly 1:09
if you're coming from maybe a smaller shop, yeah, or you're just getting started with AWS, you might start with a single account, and that's fine for a while, but as soon as you start to grow, as soon as you have different teams, different projects, different environments, maybe you need to start thinking about things like compliance. That's when AWS Organizations really starts to shine. So

Chris 1:30
for our listeners out there who maybe haven't had a lot of experience with AWS Organizations yet, what is it? What is it? What

Kelly 1:36
is this thing? Yeah,

Chris 1:37
what is this magical service? It's

Kelly 1:38
not actually that magical, but it's pretty powerful. Okay, so

Chris 1:43
it's powerful? Yeah, it

Kelly 1:45
is powerful. Think of it this way. It's a way to centrally manage and govern multiple AWS accounts. So instead of having to log in and out of 10 or 20 different accounts, you have one central place where you can see everything. Got it. You can manage your users, you can set up policies, and you can even consolidate your billing. So that

Chris 2:05
brings up a good point. Why is this even important? Why bother especially, like you said, if you're a smaller company, maybe you're just starting out.

Kelly 2:12
If you're just playing around with AWS, maybe for a personal project, you probably don't need AWS Organizations, right? But as soon as you start to get serious, as soon as you have multiple people working in the cloud, as soon as you have any kind of sensitive data, or you need to meet any kind of compliance requirements, that's when you really need to start thinking about organizations, because

Chris 2:32
it's like the adulting of your AWS environment. Yeah,

Kelly 2:35
exactly when you're just getting started, you can kind of wing it, but as you grow up, yeah, you need to start putting some systems in place. Okay, I like that analogy, and AWS Organizations is the perfect tool for the job. So let's

Chris 2:47
give our listeners some concrete examples, some use cases that they might encounter in their day to day work where AWS Organizations would really come in handy. Okay,

Kelly 2:56
so let's say you're working for a company that has multiple departments, like a marketing department, an engineering department, a sales department, and each of those departments needs its own AWS account so they can have their own budget, their own resources and their own security isolation, right? So we're not mixing everything together exactly. We want to keep things separate, and AWS Organizations makes it really easy to do that. Okay, what's another example? Another common use case is managing separate accounts for development testing and production environments. Oh, yeah, that's a classic one. So you don't want your developers accidentally pushing code to production or making changes to your live application. So you use AWS Organizations to set up those different environments, and you can even use it to enforce policies that prevent those kinds of accidents from happening. Okay, so we're talking about guardrails Exactly. We're putting guardrails in place

Chris 3:48
make sure that no one goes off the rails, right? All right. What about a startup that's rapidly expanding into new geographic regions? Oh, that's

Kelly 3:55
a great one. So now you have to think about data sovereignty and compliance. You might need to have separate AWS accounts for each region to meet those requirements. Okay?

Chris 4:06
So AWS Organizations can help with that too. Absolutely, you

Kelly 4:10
can create a separate organizational unit or ou for each region, and you can apply different policies to each ou. So we're

Chris 4:19
getting pretty granular here. You can get as granular as granular as you need. It sounds like AWS Organizations is pretty flexible.

Kelly 4:24
It is very flexible, and that's one of the things that makes it so powerful. So we've talked

Chris 4:28
about why AWS Organizations is important and we've looked at some real world examples, but let's dive a little bit deeper into the actual features and benefits of the service. Let's do it so we've talked about why AWS Organizations is important, and looked at some real world examples, but let's dive a little bit deeper into the actual features and benefits of the server. Let's do it all right. So first up account management. How does AWS Organizations help us manage all these different AWS accounts?

Kelly 4:55
So with account management, AWS Organizations really simplifies the. Process of creating and grouping accounts within your organization. So you can create new accounts directly from within the organization's console, and you can group those accounts into organizational units or OUs, which we talked about a little bit earlier, right? So it's

Chris 5:12
kind of like creating folders on your computer, yeah, to keep things organized exactly,

Kelly 5:16
you're creating a hierarchy, a structure to manage all of your accounts, and

Chris 5:22
this is especially helpful when you're dealing with, you know, dozens or even hundreds of accounts. Absolutely,

Kelly 5:27
it can quickly become overwhelming to manage all of those accounts individually, but with organizations, you have that central point of control.

Chris 5:36
So what about policy based management? This is something that we've touched on a little bit already.

Kelly 5:40
Yeah, this is where the real power of AWS Organizations comes in. With policy based management. You can use service control policies or SCPs to define the maximum available permissions for the accounts in your organization. Okay, so SCPs are like guardrails exactly. You can use them to prevent certain actions from being taken or to enforce certain security configurations. So for

Chris 6:03
example, you could create an SCP that prevents anyone from creating S3 buckets that are publicly accessible

Kelly 6:07
Exactly. That's a very common use case. You can also use SCPs to control things like which AWS services are allowed to be used, or to enforce tagging policies. So

Chris 6:18
it's a really powerful way to ensure consistency across your entire organization Absolutely, especially when it comes to security and compliance. Yeah, you don't want

Kelly 6:27
to have to go into each individual account and configure those settings manually with SCPs. You can do it all from one central place,

Chris 6:35
and that's a huge time saver. That

Unknown Speaker 6:37
is all right. Let's

Chris 6:38
talk about consolidated billing. This

Kelly 6:40
is one of my favorite features. Mine too. It's so convenient. Yeah, instead

Chris 6:44
of getting a separate bill for each AWS account,

Kelly 6:46
you get one consolidated bill for all of your accounts. And that just makes life so much easier, especially if you're dealing with a lot of

Chris 6:53
accounts. Yeah, no more trying to figure out which charges belong to which account, right? It's all right there in one place. And on top of that, you can actually get volume discounts by using consolidated billing Exactly.

Kelly 7:04
So you're not only simplifying your billing, you're also potentially saving money.

Chris 7:10
So it's a win. Win. It is. Now let's talk about security and compliance. Obviously,

Kelly 7:15
this is a huge concern for any organization that's operating in the cloud, and AWS Organizations provides a number of features that can help you meet your security and compliance

Chris 7:25
requirements. So we already talked about SCPs, which can be used to enforce security policies across your entire organization, right?

Kelly 7:32
But there are other features as well, like the ability to delegate access to specific accounts or OUs, so you can give

Chris 7:40
different teams or individuals, yeah, the appropriate level of access,

Kelly 7:44
exactly. And you can also use AWS Organizations to integrate with other security tools like AWS CloudTrail and AWS config,

Chris 7:52
right? So you can get a comprehensive view of your security posture, and you can track any changes that are made to your environment, so

Kelly 7:59
you can make sure that you're always in compliance.

Chris 8:01
So we've talked about a lot of the benefits of AWS Organizations, but are there any limitations that we should be aware of?

Kelly 8:08
There are a few things to keep in mind. First of all, setting up complex organizational structures can be a bit challenging, especially if you have a lot of accounts and OUs, so you need to plan carefully Absolutely. You need to think about how you want to organize your accounts and what kind of policies you want to

Chris 8:25
enforce, right? Because once you set up your organizational structure, it can be difficult to change it later on. Exactly.

Kelly 8:30
Another thing to keep in mind is that there are some limitations around moving existing AWS accounts into an organization.

Chris 8:38
Okay? So you can't just take any AWS account and add it to your organization

Kelly 8:42
right? There are some requirements that need to be met, so it's something to be aware of.

Chris 8:47
It is all right. So let's zoom out for a moment and look at how AWS Organizations fits into the broader AWS ecosystem. Okay, we've already talked about how it integrates with AWS CloudTrail and AWS config for security and compliance, right? But it also integrates with other services

Kelly 9:05
like AWS IAM for identity and access management, right? So you can use IAM to control who has access to what within your organization, and you

Chris 9:13
can use organizations to define the overall structure and policies for your IAM users and roles Exactly.

Kelly 9:18
So they work together to provide a comprehensive solution for managing access to your AWS resources.

Chris 9:24
And all of this is really important for those of you who are preparing for the AWS certification exams, absolutely,

Kelly 9:31
you need to understand how AWS Organizations fits into the bigger picture and

Chris 9:36
how it interacts with other AWS services, right? Because

Kelly 9:39
you're not just going to be tested on AWS Organizations in isolation. You're going to

Chris 9:44
be tested on how it all works together, exactly. So now that we've covered the basics of AWS Organizations, let's shift gears and dive into some exam style questions that will really test your understanding of this service. Let's do it. So we've covered a lot of ground here. From account management to policy based management to security. Are there any common pitfalls that we should watch out for when we're using AWS Organizations? Oh, yeah,

Kelly 10:09
absolutely. I think one of the biggest ones is not planning your organizational structure properly. Yeah, a lot of people just jump in and start creating accounts and OUs without really thinking about how they're all gonna fit together? Yeah, that makes sense, and then they end up with this messy, tangled web of accounts that's really hard to manage. So it's like building a house without a blueprint exactly. You need to have a plan. You need to think about your long term goals, and you need to make sure that your organizational structure can support those goals.

Chris 10:41
So what's a good way to approach planning your organizational structure? Well,

Kelly 10:44
the first step is to think about your business requirements. How many accounts do you need? How are those accounts going to be used? What kind of security and compliance requirements do you have? Okay, so we're thinking about the big picture. Exactly once you have a good understanding of your business requirements, you can start to think about how to group your accounts into OUs and how

Chris 11:06
to apply policies to those OUs, right? So it's a bit like playing Tetris, kind

Kelly 11:10
of you're trying to fit all of these different pieces together in the most efficient way possible, and

Chris 11:16
you want to avoid creating any unnecessary complexity, exactly. So there any other pitfalls that we should be aware of?

Kelly 11:24
Another common one is not using SCPs effectively. Oh, yeah, those can be tricky. They can be because they're so powerful, right? If you're not careful, you can easily create an SCP that's too restrictive and that can prevent your users from doing their jobs, or you could create an SCP that's too permissive and that can open up your environment to security risks. So it's all about finding the right balance. Exactly you need to strike a balance between security and usability, and that can be tough. It can be but it's important to get it right. So

Chris 11:57
any tips for using SCPs effectively? Well, one tip is

Kelly 12:01
to start with a denial policy and then gradually add permissions as needed.

Chris 12:06
Okay, so we're starting with a very secure baseline, right?

Kelly 12:08
And then we're only opening up the holes that we absolutely need to. That's

Chris 12:12
a good approach.

Kelly 12:13
Another tip is to test your SCPs thoroughly before you apply them to your production environment. Yeah, that's always a good idea, because you don't want to accidentally break something. So

Chris 12:21
we talked about some of the pitfalls to avoid, but what about the benefits of using AWS Organizations? Well, we've already

Kelly 12:28
talked about a lot of them, like improved security, simplified billing and increased agility, but I think one of the biggest benefits is peace of mind. Peace of mind, yeah, when you know that you have a well organized and secure AWS environment, it just makes everything easier. Yeah,

Chris 12:45
you can sleep better at night, exactly. So if our listeners are looking to level up their AWS skills and prepare for those certification exams, mastering AWS Organizations is a great place to start.

Kelly 12:58
It is. It's a foundational service that will help you understand how to manage and secure your AWS environment,

Chris 13:04
and will also help you build a solid foundation for learning other AWS services.

Kelly 13:09
Exactly, all right. So

Chris 13:10
that wraps up our deep dive into AWS Organizations. I

Kelly 13:14
hope you found it helpful. I

Chris 13:15
know I did. I always learned so much from these conversations, too, and I'm sure our listeners feel the same way. So until next time, happy cloud building.

Kelly 13:23
Happy cloud building.