A large organization is planning on AWS to host its resources.
They have several autonomous departments that wish to use AWS.
What could be the strategy to adopt for managing the accounts?
Click on the arrows to vote for the correct answer
A. B. C. D.Answer: D.
Option A is incorrect since AWS recommends using a multiple account strategy for a company that wants multiple autonomous departments to access AWS resources and services.
Options B is incorrect since it would be an operational overhead to manage multiple IAM groups for multiple departments under one AWS account.
This eliminates the isolation of resources and increases the blast radius in case of a security breach.
Option C is incorrect because creating separate IAM roles does not provide the best security practice for multiple autonomous departments working under a single account.
There is a security concern for multiple environments (Dev, Test & Prod) under one account.
Option D is CORRECT because multiple accounts for each autonomous department are recommended as an AWS best practice.
The approach can isolate workloads, limited visibility and minimize the blast radius (during security breach).
For more information on AWS Multi-Account best practices, kindly refer to the following URL:
https://d0.awsstatic.com/aws-answers/AWS_Multi_Account_Security_Strategy.pdfWhen an organization decides to use AWS, they can have multiple departments or teams who want to use the same AWS resources. In such cases, it's essential to have a strategy for managing accounts.
A) Use multiple VPCs in the account, one VPC for each department: This strategy suggests using multiple Virtual Private Clouds (VPCs) in one AWS account, where each VPC is dedicated to a specific department. VPCs are isolated from each other, which ensures that resources in one VPC cannot communicate with resources in another VPC, unless explicitly allowed. While this approach can provide some level of isolation between departments, it can be challenging to manage multiple VPCs, and it may not provide adequate separation between departments.
B) Use multiple IAM groups, one group for each department: This strategy involves creating multiple Identity and Access Management (IAM) groups in one AWS account, where each group is dedicated to a specific department. IAM groups allow administrators to manage permissions for multiple users, and each group can have its own set of policies. This approach can work well if the departments have similar access requirements, but it can be challenging to manage multiple groups, and it may not provide sufficient separation between departments.
C) Use multiple IAM roles, one role for each department: This strategy suggests creating multiple IAM roles in one AWS account, where each role is dedicated to a specific department. IAM roles enable administrators to delegate access to AWS resources without having to share long-term credentials. Each role can have its own set of policies, providing fine-grained access control. This approach can provide better separation of duties between departments and is relatively easy to manage.
D) Use multiple AWS accounts, one account for each department: This strategy involves creating multiple AWS accounts, where each account is dedicated to a specific department. Each account has its own set of resources, IAM users, and permissions. This approach provides the most robust isolation between departments and ensures that resources in one account cannot affect resources in another account. However, it can be challenging to manage multiple AWS accounts, and it may require additional resources for administration.
Overall, using multiple IAM roles or multiple AWS accounts are the recommended strategies for managing accounts in AWS for multiple departments or teams. While multiple VPCs or IAM groups can provide some level of isolation between departments, they may not be the best approach for larger organizations or when more robust separation is needed.