In this webinar, we will take a deep dive into AWS Organizations, what it is, and why you should use it. We will review how to use the open-source tool org-formation to manage your entire AWS Organization using infrastructure-as-code.
2. • Full subsidiary of ABN AMRO
• Online savings since 2008
• 0.5 mio customers in NL and DE
• Combined savings & payments product
• Small organization (<160 fte)
• Focus on UX and customer value
About Moneyou
3. Moneyou <3 Serverless
We believe Serverless greatly improves
• Time to market of solutions built
• Ability to maintain the software we built
• Focus on delivering customer value
• Ability to demonstrate we are compliant
4. AWS Services typically used at Moneyou
• Some satisfy functional requirements
API GW, Lambda, DynamoDB, Step Functions
• Some satisfy nonfunctional requirements
SQS, SNS, CloudWatch
• Some satisfy IT Security requirements
Secrets Manager, IAM and AWS Organizations
Serverless, not FaaS
5. Serverless, not FaaS
Serverless services have:
• Inherently scalable
• Highly available
• Pay per use / no capacity planning
• Host security by AWS
• Compliant under PCI, SOC, ISO & others
6. AWS Organizations
• Account management service
• Provides API to create new AWS accounts
• Central insight in billing & cost analysis
• Hierarchically organize AWS accounts
• Apply policies to accounts
7. Probably for the same reason you don’t run
production software on development environments.
Why have multiple AWS accounts?
8. Why have multiple AWS accounts?
Benefits of a multi account setup
• Limited blast radius – because mistakes can happen
• Security boundary – simplifies implementing least privilege
• Data governance – control access to GDPR governed data
• Scalability – every account gets their own resource limits
• Cost monitoring – without tagging
https://dev.to/oconijn/off-to-a-great-start-with-aws-organizations-1i74
😲
9. Why have multiple AWS accounts?
Typical Serverless application design
• Resources: API GW, Lambda, SNS, Dynamo DB
• Services: Unit of deployment, high cohesion (within), low coupling
• Product: Value delivered to customer, multiple environments
By default, all resources within an account can be accessed by other
resources within that account (resource policy).
🤯
10. Why not use AWS Organization?
Reasons not to use AWS Organizations
• Didn’t know – well, not anymore
• Don’t care – fair enough
• Too Complex – we’ve fixed this
> npm i aws-organization-formation -g
11. AWS Organization Formation
Three main use cases
1. Infrastructure as code for AWS Organizations
2. Continuous delivery of account baseline
3. Cross account, cross region annotated CloudFormation
13. Infra as code for AWS Organizations
Support for
1. Infra as code support for AWS Organizations resources
2. Creating AWS Accounts, OUs and SCPs
3. Multiple models per AWS Organization
4. Setting up Account IAM Alias, Password Policy and Enterprise Support
5. Change sets that can be reviewed and applied
17. Organization annotated CloudFormation
Support for
1. Deploying CloudFormation resources to multiple accounts
2. Referencing organization resources and attributes
3. Resolving !Ref across target AWS Accounts and Regions
4. Generating resources / producing resources `for-each` account in binding
18. Organization annotated CloudFormation
Comparison with CloudFormation StackSets
1. Both deploy stacks across multiple accounts / regions
2. Org-formation deploys stacks based on different parts of single templates
3. Org-formation supports cross account / cross region !Ref, !GetAtt
4. Support for CloudFormation, serverless.com, CDK
19. Thank you!
• No time like the current to get started with AWS Organizations!
• Try org-formation at
https://github.com/OlafConijn/AwsOrganizationFormation
• Reach out over email: olaf.conijn at moneyou.nl
• Questions, issues, stars & PRs are welcome!