Designing a security strategy for multiple AWS accounts (for example, AWS Control Tower, service control policies [SCPs])

Task Statement 1.1: Design secure access to AWS resources.

📘AWS Certified Solutions Architect – (SAA-C03)

When managing AWS resources in a large organization, it’s not enough to just secure a single account. Companies often use multiple AWS accounts for different purposes, such as:

  • Production vs. development environments
  • Different business units or teams
  • Specific compliance or security requirements

Managing security across many accounts can get complicated. That’s where AWS Control Tower and Service Control Policies (SCPs) come in.

1. AWS Control Tower

AWS Control Tower is a service that helps you set up and govern a secure, multi-account AWS environment quickly and consistently.

Think of it as a management console that automates best practices for security and governance across all your accounts.

Key Features of AWS Control Tower

  1. Landing Zone:
    • This is a pre-configured environment with multiple accounts and security settings.
    • Provides a baseline setup that follows AWS best practices for security and compliance.
  2. Account Factory:
    • A way to create new AWS accounts automatically with predefined configurations.
    • Ensures every new account starts with the same security settings, network setups, and policies.
  3. Guardrails:
    • Rules that enforce security and compliance across all accounts.
    • Two types:
      • Mandatory Guardrails: Always enforced (e.g., prevent deletion of logs).
      • Optional Guardrails: Can be applied as needed (e.g., restrict certain regions).
  4. Dashboard & Monitoring:
    • Shows the compliance status of all accounts.
    • Makes it easier to see if accounts follow the security rules.

How it helps in a multi-account strategy

  • Standardizes security policies across accounts.
  • Simplifies account creation and setup.
  • Reduces human errors and misconfigurations.
  • Provides centralized monitoring.

2. Service Control Policies (SCPs)

Service Control Policies (SCPs) are part of AWS Organizations. They define permissions across multiple AWS accounts.

SCPs are like “rules that say what accounts can or cannot do” at an organizational level.

Key Points about SCPs

  1. Apply to AWS Organizations
    • AWS Organizations is a tool to manage multiple accounts centrally.
    • SCPs are attached to Organizational Units (OUs) or individual accounts.
  2. SCP Types
    • Allow List (Whitelist): Only allows the services and actions listed.
    • Deny List (Blacklist): Denies specific services or actions, everything else is allowed.
  3. Effect of SCPs
    • SCPs don’t grant permissions by themselves; they only restrict what IAM users and roles can do.
    • Users need IAM permissions too, but SCPs can prevent over-permission across accounts.
  4. Examples of SCP Use
    • Deny creating EC2 instances in a specific region.
    • Prevent deletion of CloudTrail logs to ensure auditing is always enabled.
    • Block access to services not used in certain accounts (like denying S3 in a testing account).

3. Designing a Secure Multi-Account Strategy

To design a security strategy for multiple AWS accounts, follow these steps:

Step 1: Organize Accounts

  • Create Organizational Units (OUs) based on environment or team:
    • Example OUs: Production, Development, Security, Shared Services
  • Place AWS accounts under the right OU.

Step 2: Use AWS Control Tower

  • Set up a Landing Zone to standardize accounts.
  • Use the Account Factory to create new accounts with security rules already applied.
  • Apply mandatory guardrails to enforce baseline security.

Step 3: Apply SCPs

  • Attach SCPs to OUs to enforce security policies at the account level.
  • Combine allow and deny rules to protect sensitive resources.

Step 4: Monitor and Audit

  • Use Control Tower dashboards to check compliance status.
  • Regularly review SCPs and IAM permissions to prevent drift.

4. Key Exam Points

For the SAA-C03 exam, remember:

  1. Control Tower = multi-account setup + governance
  2. SCPs = central permissions restrictions, not permissions granting
  3. Use Organizational Units (OUs) to organize accounts
  4. Guardrails = mandatory vs. optional, applied via Control Tower
  5. Always combine IAM permissions with SCPs for security
  6. Control Tower dashboards help monitor compliance across accounts

Summary in Simple Terms

  • AWS Control Tower → Automates multi-account setup and enforces security baseline.
  • SCPs → Control what accounts and users can or cannot do.
  • Strategy → Organize accounts, apply guardrails, enforce SCPs, monitor compliance.

This ensures your multi-account AWS environment is secure, standardized, and easy to manage.

Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by