In this article, we will familiarize readers with a Single-Master Hierarchy account for organizations, and introduce their usefulness in the AWS landscape. We will also explain how a Single-Master Hierarchy Account is set up from within a Main Root Level Enterprise account.
There is also the concept of Policy Document, created at the parent organization level, which can trickle down the chain to member-accounts. Whatever permissions are described in these documents will be inherited and assumed by the member-accounts and executed when account services are invoked. These policies can be created at member-account level as well, which will be trickled down to its children accounts. This chain can go to nth level hierarchy.
Why multi-account organization unit (OU)?
Large Enterprise Organizations are often comprised of several smaller entities, which have their autonomous needs on how their infrastructure should be laid out. These infratsructure requirements can include their security group, VPC, Compute Systems, Database needs and more. These needs allow each organization to maintain better control over their P&L, based on their allocated budget. However, overall costs will be aggregated at the top-level Enterprise Organization for visibility and payments.
While these sub-organizations are provided full autonomy within a larger organization, we can control user account creation and permissions by creating one single Account Unit, which becomes a central account to manage all users. This concept can be called Single Master Hierarchy Account.
Additionally, by giving autonomy to these smaller Organizational Units, Enterprises encourage and promote a culture of innovation, as they fulfill R&D without the fear of disturbing main production account/setup of infrastructure.
What is the single master and multi-master hierarchy multi-account organization unit?
A Multi-Account Organization Unit is a way to create smaller logical entities of a large organization accounts within AWS. These small units are created from within the parent enterprise organization, called the Root Organization.
In the following image you can see how an enterprise can have multi-accounts. The Root represents the enterprise organization, the primary owner of all the accounts including member multi-accounts.
In this example, the Root Organization has three main accounts, one Management Account and 2 Organization Unit Accounts. Once you have established member-accounts, accounts can work independently with one caveat. That caveat is whatever Policy is defined at the Root level will be enforced on the member-accounts.
For example, in these policies, a Root account admin can restrict the member-account to spin a very large EC2 instance, which may cost the Root Organization a considerable sum of money. In other circumstances, organizations may not want computer resources to be launched in a specific region, due to compliance parameters. These policies will be executed at the member-account level, on behalf of the Root Organization.
This cost rolling concept at sub-organization unit level can be accounted for during Multi-Master Hierarchy Account setup, as costs can be processed at these sub-organization level.
Set up member-account using new AWS account
This section will explain step by step the process to create an AWS account from a Root entity. After this setup, you can see the newly created account to show under Root account.
Steps:
1. Log in to AWS Root Console Account.
2. After Login, select Organization from your top right menu option.
3. From the Organization screen, select the “Add an AWS Account” option to initiate the account creation process.
4. Once you reach the Account Creation screen, you will see two options: Create an AWS Account, and Invite an existing AWS account.
5. Select the “Create an AWS Account” option;
6. Enter mandatory fields such as:
- New account name
- Already existing email address that you can use to login once the account is created
- Leave the role option as is
7. Select "Create AWS account".
After completing all the steps mentioned above, check your email that you provided in step 6.b. AWS wants to ensure that you are an actual user, creating a real account.
Once you have received the welcome email from AWS, you can select the option of “Start building with the AWS Console”.
This option will take you to the AWS console screen, where you can enter your email address and reset your password. You will next receive an email to reset the password. Once you have reset your password, you will be able to log in to the newly created AWS account.
Remember, you are still a member-account to Root/Parent account; bills will be reported to the AWS Root account as shown below.
Set up a member-account using an existing AWS account
This section will explain how to create an AWS account from a Root entity. After this setup, you will be able to see the newly created account under the Root account.
Steps:
1. Log in to AWS Root Console Account.
2. After Login, select Organization from your top right menu option.
3. From the Organization screen, select the “Add an AWS Account” option to initiate the account creation process.
4. Once you reach theAccount Creation screen, you will see two options: Create an AWS Account and Invite an existing AWS account.
5. Select the “Invite an existing AWS account” option.
6. Provide an Account Name of your choice.
7. Provide an existing user email address.
8. You can add Tags if you like. Tags are nice way to track resource costs in an AWS environment.
9. Select the “Create AWS Account” option to imitate the Account creation process.
It may take few seconds before the account is created and you are notified on the console screen. Once the account is created, it will be displayed under Organization Screen as seen below:
In order to manage multi-accounts, you may want to create virtual folders where these accounts can be dropped. For example, Production vs Sandbox vs QA environment.
You can move these member accounts by selecting the member-account that you want to move and from Actions drop down select Move as depicted in the following image.
Conclusion
The AWS Multi-Account approach allows large organizations to provide limited control to the departments within an organization. This can also help with budget management, as each department can handle it’s own P&L when managing infrastructure costs. It’s a two prong approach, where innovation is not a captive of budget, while the over-arching parent organization keeps an eye on overall cost of the enterprise, and user management is controlled as well.