1.4 Design a Multi-Account AWS Environment
AWS Organizations
Structure & Governance
- Root: The parent container for all accounts.
- OUs (Organizational Units): Logical groups for accounts (e.g., Security, Prod, Dev). Apply SCPs here.
- Management Account: Paying account. Can be a SPOF. Keep it clean (don’t deploy resources here).
Consolidated Billing
- Feature: Aggregates usage across accounts for volume discounts (e.g., S3 storage tiers, EC2 RIs).
- Reserved Instances (RI) Sharing: RIs purchased in one account can apply to separate accounts in the same Organization unless sharing is disabled.
WARNING
Exam Gotcha: By default, an Organization’s RI benefits float across all accounts. To stop this (e.g., for cost code separation), you must explicitly turn off RI sharing in the billing console.
AWS RAM (Resource Access Manager)
- Function: Share resources securely without VPC Peering or complex IAM roles.
- Shareable Resources: Transit Gateways, Subnets (VPC Sharing), License Configurations, Route 53 Resolver Rules.
- VPC Sharing: Allows multiple accounts to launch resources into the same subnets.
- Benefits*: Simplified networking (fewer peering connections), separation of duties (Network team owns VPC, App teams own instances).
WARNING
Exam Gotcha: You cannot share Security Groups or NACLs via RAM. Security Groups are specific to the VPC and Account. In a Shared VPC, participants can reference the SG IDs of others but cannot modify them.
Centralized Logging
Architecture Pattern
- Source Accounts: Enable CloudTrail, VPC Flow Logs, Config.
- Aggregation: Use CloudWatch Logs destinations or S3 Cross-Region Replication.
- Log Archive Account: Central S3 bucket with strict policies (MFA Delete, Object Lock).
- Security: Kinesis Data Firehose to stream logs to Splunk/OpenSearch for analysis.
WARNING
Exam Gotcha: An Organization Trail is created in the Management Account and automatically logs events for all accounts. You cannot modify or delete it from the member accounts.