You can use the consolidated billing feature in AWS Organizations to consolidate billing and payment for multiple AWS accounts or multiple Amazon Web Services India Private Limited (AWS India) accounts. Every organization in AWS Organizations has a management account that pays the charges of all the member accounts. For more information about organizations, see the AWS Organizations User Guide. Show
Consolidated billing has the following benefits:
The member account bills are for informational purpose only. The management account might reallocate the additional volume discounts, Reserved Instance, or Savings Plans discounts that your account receives. If you have access to the management account, you can see a combined view of the AWS charges that the member accounts incur. You also can get a cost report for each member account. AWS and AWS India accounts can't be consolidated together. If your contact address is in India, you can use AWS Organizations to consolidate AWS India accounts within your organization. When a member account leaves an organization, the member account can no longer access Cost Explorer data that was generated when the account was in the organization. The data isn't deleted, and the management account in the organization can still access the data. If the member account rejoins the organization, the member account can access the data again. Topics
By Jonathan Pape, Sr. Cloud Systems Engineer at Logicworks As larger and more complex workloads are deployed on Amazon Web Services (AWS), multi-account solutions are an increasingly common architectural blueprint. These multi-account blueprints, often referred to as cloud “landing zones,” enable simple administrative boundaries along with a more confined blast radius. However, using multiple accounts also increases the complexity of security tooling, access control and authorization, and cross-account networking. AWS Control Tower simplifies the process of setting up new multi-account environments with predefined security baseline templates. AWS Control Tower also enables self-service for new account provisioning with automated application of baselines and account standards. At Logicworks, an AWS Partner Network (APN) Premier Consulting Partner and Managed Service Provider (MSP), we have built many AWS Control Tower deployments in a wide variety of industries. In this post, we share our best practices for deploying AWS Control Tower services, having gleaned those best practices through real-world trial and error. We’ll show you how AWS Control Tower helps you automate the build-out of a multi-account architecture based on AWS best practices. We will also share real-life stories of how companies are using AWS Control Tower to build and maintain large, complex AWS environments. What is AWS Control Tower?AWS Control Tower helps you set up and govern a new, secure, multi-account AWS environment. You can manage the service through the AWS Control Tower dashboard, which gives you continuous visibility into your AWS environment. You can view the number of organizational units (OUs) and accounts provisioned and the number of guardrails enabled. You can also check the status of your OUs and accounts against those guardrails, and see a list of non-compliant resources. In essence, the AWS Control Tower dashboard is an overlay interface to AWS foundational services and administration elements that collectively deliver a landing zone solution. Figure 1 – AWS Control Tower services and administrative elements. By combining the foundational services and administrative elements shown in Figure 1, AWS Control Tower provides:
Here is a brief summary of what each component does for our overall solution:
AWS Control Tower can also work with functionality not yet exposed in the dashboard, but available in the direct configuration of the foundational services. For example, you can repoint AWS SSO to another identity provider directory, including Azure Active Directory or AWS Directory Service for Microsoft Active Directory (AWS Managed Microsoft AD). This type of AWS SSO configuration works in an AWS Control Tower environment, but is not yet displayed in the dashboard itself. You can also extend Control Tower with customizations. Figure 2 shows the AWS Control Tower dashboard with a few accounts provisioned. Figure 2 – AWS Control Tower dashboard. How is AWS Control Tower Different from AWS Landing Zone?Prior to the release of AWS Control Tower, the AWS Landing Zone solution provided a similar blueprint for deploying a multi-account landing zone. AWS Landing Zone was only available via an approved APN Partner or a partner-led professional services engagement. AWS Landing Zone delivered similar functionality to AWS Control Tower, but was delivered via AWS CodePipeline and had no interface in AWS console. However, most of the functionality delivered by AWS Landing Zone has been migrated into AWS Control Tower. Capabilities that were formerly delivered as AWS Landing Zone “add-ons” are available in AWS Control Tower with the Customizations for Control Tower solution. Some functionality found in AWS Landing Zone has been removed from the default AWS Control Tower deployment to reduce initial cost and complexity. For example, Amazon GuardDuty is no longer enabled in accounts by default, and AWS Control Tower no longer deploys a Shared Services account automatically. AWS Control Tower now only deploys two managed AWS accounts into the core organizational unit: Log archive and Audit. AWS Control Tower is currently the recommended AWS solution for all new multi-account landing zone deployments. Best Practices for Setting up AWS Control TowerAt Logicworks, an AWS Security Competency Partner, we have built many AWS Control Tower deployments for companies in a wide variety of industries. We gleaned the following best practices through trial and error with AWS Control Tower services. We hope they help you answer common questions. Best practices include:
Automate the Creation of Amazon VPCsAccount Factory creates an initial set of Amazon VPCs for the accounts to be managed by AWS Control Tower. You may be able to leverage those VPCs if you meet these conditions:
However, the vast majority of use cases require VPCs in each account to communicate with other VPCs in AWS Control Tower. For these use cases, we recommend configuring AWS Control Tower without a VPC. You can also create Amazon VPCs outside Account Factory by using AWS Service Catalog. Simply create a standardized VPC deployment Service Catalog Portfolio and Service Catalog Product in the Master account. Then, share that Portfolio with the rest of the accounts for customized VPC creation. The VPC Product can also contain adjunct resources for automated attachment to AWS Transit Gateway attachment, routing tables, standard Network Access Control List (network ACL) rules, Route 53 Resolver, and shared rules, among others. This approach ensures your desired networking configuration is created the same way in every account. In turn, that significantly reduces the manual configuration effort to create new VPCs. It’s especially useful in use cases for which you frequently create customized VPCs. Use AWS Transit GatewayManaging point-to-point connectivity across many Amazon VPCs, without the ability to centrally manage the connectivity policies, can be operationally costly and cumbersome. For on-premises connectivity, you must attach your AWS Virtual Private Network (AWS VPN) to each individual Amazon VPC. This solution can be time consuming to build and hard to manage when the number of VPCs grows into the hundreds. AWS Transit Gateway is a service that enables you to connect your Amazon VPCs and on-premises networks to a single gateway. It’s a complimentary service with AWS Control Tower’s multi-account architecture. To connect VPCs in all the accounts in your AWS Control Tower, you only have to create and deploy a “centralized router” from the central gateway. From that point on, AWS Transit Gateway acts as a hub that controls how traffic is routed among all the connected networks, which act like spokes. This hub-and-spoke model significantly simplifies management and reduces operational costs because each network only has to connect to AWS Transit Gateway and not to every other network. Any new VPC is simply connected to AWS Transit Gateway, and is then automatically available to every other network connected to the AWS Transit Gateway. If you want to more narrowly define the routing between VPCs on AWS and your on-premises network, you can use AWS Transit Gateway to enable hybrid connectivity on AWS Control Tower. Simply attach provisioned dedicated network connections of AWS Direct Connect, AWS VPN, and site-to-site VPNs to AWS Transit Gateway. Deployment TipTo make AWS Transit Gateway available for all the VPCs in your AWS Control Tower solution, share the AWS Transit Gateway using the AWS Resource Access Manager (AWS RAM). Once you share the AWS Transit Gateway to the AWS Control Tower accounts using their organization IDs, the VPCs in each account can view the AWS Transit Gateway. They can also submit AWS Transit Gateway attach requests to connect an Amazon VPC to the centralized AWS Transit Gateway using software defined networking. If you want to deliver all traffic to the AWS Transit Gateway for centralized egress routing (default route 0.0.0.0/0), or route only on-premises-directed traffic to the AWS Transit Gateway, add local VPC route table routes. Enable Self-Service with AWS Service CatalogA common design goal is to enable developer teams and business unit owners to self-provision new environments, while ensuring mandatory security tooling is in place. AWS Control Tower supports self-service provisioning of new accounts with Account Factory. The process ensures automated deployment of security rules via AWS Control Tower guardrails. Logicworks has frequently extended self-provisioning capabilities in landing zone projects. We have done so by leveraging AWS Service Catalog to allow users to deploy default infrastructures according to templates, such as default Amazon VPCs that automatically attach to AWS Transit Gateway. You can create a selection of default application infrastructures in AWS Service Catalog and automatically share them with new accounts. This enables business unit owners of the new accounts to quickly launch approved infrastructure patterns that align with standards for security and logging in AWS Control Tower. Use AWS Single Sign-OnIf you work with multiple AWS accounts across several teams and business units, you need a centralized approach for access and authentication to your AWS resources. By default, AWS Control Tower includes AWS Single Sign-On as a mechanism for identity management, using a default directory. You can access AWS SSO either through the AWS Console or through API functions you enter in the command line interface (CLI). With either form of access, you have two options for identity providers:
Option 1: Use the Default SSO DirectoryIn a standard AWS Control Tower deployment, you administer SSO users in the default SSO directory, which you set up during the initial deployment of AWS Control Tower. The standard deployment also sets up a default set of AWS SSO permission sets and user groups. You can view these permission sets and user groups in AWS Control Tower dashboard. From there, you can also create users and add them to these groups directly via AWS SSO portal. Figure 3 – AWS Control Tower users and access. Option 2: Use an External Identity ProviderAt Logicworks, we often get a requirement to integrate AWS SSO with a different identity provider. You can use an external provider because AWS SSO supports using Microsoft Active Directory or Azure Active Directory as the identity source. You can use Microsoft Active Directory in the form of on-instance, on-premises, or AWS Managed Microsoft AD. Depending on the specifics of your active directory deployment, you may also need to deploy an AWS Directory Service Active Directory Connector to proxy the authentication requests between AWS SSO and Active Directory. Once deployed, the Active Directory Connector simplifies logins and resource management. It also lets you enforce the same security policies on-premises and in the cloud. It also enables multi-factor authentication. Reflect Internal Organization Structures and Patterns in AWS Control TowerWe have had individual business unit owners and development groups request individual AWS accounts for running “their own stuff.” These separate accounts simplify billing and access control for the leaders of these groups. In fact, AWS Control Tower allows you to create these separate environments and maintain default security standards through guardrails. By using service control policies (SCPs), you can configure developer accounts with very open sandbox permissions, and configure production accounts with more restrictive permissions. Additional AWS Control Tower ConsiderationsThese are some additional considerations to keep in mind when you set up AWS Control Tower.
Managing AWS Control Tower CostsThe same basic principles for managing cloud costs on AWS apply to managing costs in AWS Control Tower. These include reducing unused resources and leveraging Spot and reserved instances of Amazon Elastic Compute Cloud (Amazon EC2). However, AWS Control Tower provides additional capabilities and some enhanced options for cost control:
Consolidated BillingThrough AWS Organizations, which provide central governance and management across AWS accounts, the billing data for all accounts is centralized into a consolidated billing report. This allows organization-wide visibility through AWS Cost Explorer and forecasting and alerting through AWS Budgets. We recommend the following best practices and products to make the most of this reporting:
AWS Reserved Instances, Savings Plans, and Service Control PoliciesAWS provides more options than ever to reduce costs through spending commitments via Amazon EC2 Reserved Instances and Savings Plans for AWS compute services. Using AWS Organizations, AWS Control Tower helps manage commitments in aggregate:
Launching AWS Control Tower in the Real WorldOver the past year, Logicworks has launched nearly a dozen multi-account solutions for a wide variety of customers. AWS Control Tower is a perfect toolset for any company that must segregate business units or SaaS tenants, while maintaining central billing and security baselines. The companies we’ve worked with have been pleased with the result: a secure, well-organized account structure that can expand with their company. These are just three of the multi-account projects we’ve worked on in the last 12 months:
ConclusionAWS Control Tower doesn’t just simplify the process of building out multi-account architectures, it also gives you a dashboard and other tools for long-term manageability. We believe this is the reason AWS Control Tower is becoming more popular. Companies understand the pain of managing disparate cloud environments. The elegant way in which AWS Control Tower handles complex matters like authentication and provisioning set it apart from other cloud platforms. If you’re planning to launch an AWS Control Tower-based environment, we encourage you to seek out expert help. Leveraging an approved AWS Control Tower partner like Logicworks can dramatically accelerate the training, design, and build process. It also ensures a secure, cost efficient solution. If you’re interested in learning more about AWS Control Tower, explore the getting started documentation. To learn more about Logicworks, please visit our website. The content and opinions in this blog are those of the third party author and AWS is not responsible for the content or accuracy of this post.. Logicworks – APN Partner SpotlightLogicworks is an APN Premier Consulting Partner. They provide expertise in complex infrastructure for industries with high security and compliance requirements, including finance, healthcare, and retail. Contact Logicworks | Practice Overview *Already worked with Logicworks? Rate this Partner *To review an APN Partner, you must be an AWS customer that has worked with them directly on a project. Which service enables you to consolidate and manage multiple AWS accounts?AWS Organizations is an account management service that enables you to consolidate multiple AWS accounts into an organization that you create and centrally manage.
Which of the following AWS cost management tool allows you to view your AWS bills in the most granular details?AWS Cost Explorer helps you visualize, understand, and manage your AWS costs and usage over a daily or monthly granularity. You can also access your data with further granularity by enabling hourly and resource level granularity.
Which AWS service or feature allows a company to visualize understand and manage AWS costs and usage over time?Features of AWS Cost Management
AWS Cost Explorer is a feature that you can use to visualize your cost data for further analysis.
Which of the following can be used to view one bill when you have multiple AWS accounts?You can use the consolidated billing feature in AWS Organizations to consolidate billing and payment for multiple AWS accounts or multiple Amazon Internet Services Pvt.
|