Lab: Architecting a Secure Multi-Account Environment with AWS Organizations
Design a multi-account AWS environment
Lab: Architecting a Secure Multi-Account Environment with AWS Organizations
This lab guides you through the process of designing and implementing a multi-account strategy. You will move from a single-account setup to a structured organization using AWS Organizations, Organizational Units (OUs), and Service Control Policies (SCPs) to enforce governance.
[!WARNING] Remember to run the teardown commands at the end of this lab to avoid ongoing charges or leaving experimental configurations in your root account.
Prerequisites
- AWS Account Access: You must have access to an AWS account with
AdministratorAccesspermissions. - AWS CLI: Installed and configured on your local machine with credentials for the management (root) account.
- IAM Permissions: Permission to manage AWS Organizations (
organizations:*). - Active Email Addresses: To create a new child account, you will need a unique email address not already associated with an AWS account (Tip: use
yourname+lab@gmail.com).
Learning Objectives
- Initialize an AWS Organization and understand the Management Account role.
- Design a hierarchical structure using Organizational Units (OUs).
- Create a child account programmatically or via console.
- Implement and test Service Control Policies (SCPs) to prevent resource deletion.
Architecture Overview
We will build a simple but robust structure consisting of a Security OU (for logs/auditing) and a Workload OU (for applications).
Step-by-Step Instructions
Step 1: Create the Organization
First, we must enable the AWS Organizations service. This establishes your current account as the Management Account.
aws organizations create-organization --feature-set ALL▶Console alternative
- Sign in to the AWS Management Console.
- Search for and open AWS Organizations.
- Click Create an organization.
- Confirm the feature set is set to All features (required for SCPs).
Step 2: Create Organizational Units (OUs)
We will create a "Security" OU to house our shared security services.
# Replace <ROOT_ID> with your Organization's Root ID (e.g., r-a1b2)
aws organizations create-organizational-unit --parent-id <ROOT_ID> --name "Security"[!TIP] You can find your Root ID by running:
aws organizations list-roots.
Step 3: Enable Service Control Policies (SCPs)
SCPs are disabled by default. You must enable the policy type for the Root.
aws organizations enable-policy-type --root-id <ROOT_ID> --policy-type SERVICE_CONTROL_POLICYStep 4: Create and Attach a "Deny CloudTrail Stop" SCP
This policy ensures that even an administrator in a child account cannot stop logging.
- Save the following JSON as
policy.json:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"cloudtrail:StopLogging",
"cloudtrail:DeleteTrail"
],
"Resource": "*"
}
]
}- Create the policy in AWS:
aws organizations create-policy --content file://policy.json --description "Prevent stopping CloudTrail" --name "EnforceLogging" --type SERVICE_CONTROL_POLICY- Attach the policy to the Security OU (not the root, to avoid locking yourself out):
aws organizations attach-policy --policy-id <POLICY_ID> --target-id <SECURITY_OU_ID>Checkpoints
| Verification Step | Command / Action | Expected Result |
|---|---|---|
| Verify Org Status | aws organizations describe-organization | FeatureSet should be ALL |
| Verify OU List | aws organizations list-organizational-units-for-parent --parent-id <ROOT_ID> | Should see "Security" in the list |
| Verify SCP Attachment | Navigate to AWS Organizations > Policies > Service control policies | "EnforceLogging" should show attached targets |
Clean-Up / Teardown
[!IMPORTANT] Accounts created via Organizations cannot be easily deleted via CLI; they must be closed via the billing console individually.
- Detach Policies:
bash
aws organizations detach-policy --policy-id <POLICY_ID> --target-id <SECURITY_OU_ID> - Delete Policies:
bash
aws organizations delete-policy --policy-id <POLICY_ID> - Delete OUs:
bash
aws organizations delete-organizational-unit --organizational-unit-id <SECURITY_OU_ID> - Remove Accounts: Move accounts out of OUs to the Root, then close them in the Console under Billing > Close Account.
Troubleshooting
| Error | Likely Cause | Solution |
|---|---|---|
ConstraintViolationException | Trying to delete an OU that still has accounts/OUs inside. | Move all child accounts to the Root first. |
AccessDeniedException | User lacks organizations:* permissions. | Ensure you are logged in as the Root user or have the AdministratorAccess policy. |
PolicyTypeNotEnabledException | SCPs aren't turned on for the root. | Re-run the enable-policy-type command from Step 3. |
Stretch Challenge
The "Full Lockdown": Create an SCP that restricts resource deployment to only one specific AWS region (e.g., us-east-1). Apply it to a new OU named "Development" and attempt to launch an EC2 instance in us-west-2 from a child account in that OU.
Cost Estimate
- AWS Organizations: Free of charge.
- SCPs: Free of charge.
- Child Accounts: No base cost, but resources launched inside them (EC2, RDS) will incur standard usage fees.
- Total: $0.00 for the management layer.
Concept Review
The following diagram illustrates how SCPs act as a filter for IAM permissions. Even if an IAM user has AdministratorAccess (Full access), the SCP defines the maximum allowable perimeter.
\begin{tikzpicture}[node distance=1.5cm, every node/.style={fill=white, font=\small}] % Layers \draw[fill=blue!10, dashed] (-3,0) rectangle (3,5); \node at (0, 4.5) {\textbf{AWS Account Boundary}};
% Policy circles
\draw[thick, fill=red!20] (0,3) circle (1.5cm);
\node at (0,3.5) {SCP (Guardrails)};
\draw[thick, fill=green!20] (0,2.2) circle (0.8cm);
\node at (0,2.2) {IAM Policy};
% Result
\node[draw, fill=yellow!30] at (0,0.5) {Effective Permissions = Intersection};
% Arrows
\draw[->] (1.5,3) -- (3.5,3) node[right, text width=3cm] {Max permissions allowed};
\draw[->] (0.8,2.2) -- (3.5,2.2) node[right, text width=3cm] {User-granted actions};\end{tikzpicture}
Comparison Table: Account Strategies
| Strategy | Pros | Cons |
|---|---|---|
| Environment Style | Simplifies CI/CD pipelines; isolation by SDLC phase. | Difficult to track costs by specific business unit. |
| Business Unit (BU) Style | Clear financial accountability; mirrors org chart. | Environments (Prod/Dev) might be mixed within one account. |
| Project Style | High granular control; easy to delete project assets. | Significant management overhead (many accounts). |