How to organize projects in AWS?How do I create a new user on AWS?Tracking costs within one AWS accountAmazon AWS: SSL in our testing environmentCloud formation - updating a stack behind an elb doesnt update the AMIIs it possible to restrict AWS users/accounts to a specific region?Switch between AWS Beanstalk accounts through the command lineSeparate resources and access per project on AWS?How can I create a team for a project in AWSAWS: How to create auto tags for resources created by a specific groupIAM policy: Allow user to List only some instances/projects/resources
Digital signature that is only verifiable by one specific person
At zero velocity, is this object neither speeding up nor slowing down?
What made the Ancient One do this in Endgame?
How many times to repeat an event with known probability before it has occurred a number of times
How could I create a situation in which a PC has to make a saving throw or be forced to pet a dog?
How can religions without a hell discourage evil-doing?
How can I detect if I'm in a subshell?
Why can't we feel the Earth's revolution?
IIS LAN and WAN separate SSL certificates for the same server
What is the difference between state-based effects and effects on the stack?
Nth term of Van Eck Sequence
Do items with curse of vanishing disappear from shulker boxes?
How to address players struggling with simple controls?
Fastest path on a snakes and ladders board
Must a CPU have a GPU if the motherboard provides a display port (when there isn't any separate video card)?
Was the Lonely Mountain, where Smaug lived, a volcano?
For Saintsbury, which English novelists constituted the "great quartet of the mid-eighteenth century"?
Does the use of English words weaken diceware passphrases
Interview was just a one hour panel. Got an offer the next day; do I accept or is this a red flag?
What is the context for Napoleon's quote "[the Austrians] did not know the value of five minutes"?
Will users know a CardView is clickable
Background for black and white chart
How do I become a better writer when I hate reading?
I sent an angry e-mail to my interviewers about a conflict at my home institution. Could this affect my application?
How to organize projects in AWS?
How do I create a new user on AWS?Tracking costs within one AWS accountAmazon AWS: SSL in our testing environmentCloud formation - updating a stack behind an elb doesnt update the AMIIs it possible to restrict AWS users/accounts to a specific region?Switch between AWS Beanstalk accounts through the command lineSeparate resources and access per project on AWS?How can I create a team for a project in AWSAWS: How to create auto tags for resources created by a specific groupIAM policy: Allow user to List only some instances/projects/resources
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
In our team, we are using AWS as our main cloud provider and currently, we have 3 projects hosted on their platform.
We are about to have 2 more projects in the next weeks, but first, we want to organize our projects, because our current organization is a little bit disordered.
We want our projects to be organized following these rules:
- Each project must have a staging and production environment.
- Each project is independent of each other so that it is not possible to see the resources of a project from within another project, i.e., VPC and S3 Buckets.
- The client is responsible for paying the bills of the project (staging and production environment).
- Even though the client is responsible for paying the bills, we must have access to the environments to deploy our code and to do other tasks related to development, testing, and operations.
- We can assign a team of developers to each project. It should be possible for a developer to be in one or more projects at the same time. Plus, it should be possible to move our developers between projects and to remove their access from a project.
So, is it possible to organize projects in AWS under the rules previously mentioned?
amazon-web-services cloud cloud-computing
edited May 31 at 8:39
Sven♦
88.6k10151202
asked May 30 at 19:36
GianMSGianMS
41
add a comment |
In our team, we are using AWS as our main cloud provider and currently, we have 3 projects hosted on their platform.
We are about to have 2 more projects in the next weeks, but first, we want to organize our projects, because our current organization is a little bit disordered.
We want our projects to be organized following these rules:
- Each project must have a staging and production environment.
- Each project is independent of each other so that it is not possible to see the resources of a project from within another project, i.e., VPC and S3 Buckets.
- The client is responsible for paying the bills of the project (staging and production environment).
- Even though the client is responsible for paying the bills, we must have access to the environments to deploy our code and to do other tasks related to development, testing, and operations.
- We can assign a team of developers to each project. It should be possible for a developer to be in one or more projects at the same time. Plus, it should be possible to move our developers between projects and to remove their access from a project.
So, is it possible to organize projects in AWS under the rules previously mentioned?
amazon-web-services cloud cloud-computing
edited May 31 at 8:39
Sven♦
88.6k10151202
asked May 30 at 19:36
GianMSGianMS
41
cross post: devops.stackexchange.com/q/8272/40
– Pierre.Vriens
May 31 at 5:20
1
Never crosspost. delete either this or the other question
– Sven♦
May 31 at 8:39
add a comment |
In our team, we are using AWS as our main cloud provider and currently, we have 3 projects hosted on their platform.
We are about to have 2 more projects in the next weeks, but first, we want to organize our projects, because our current organization is a little bit disordered.
We want our projects to be organized following these rules:
- Each project must have a staging and production environment.
- Each project is independent of each other so that it is not possible to see the resources of a project from within another project, i.e., VPC and S3 Buckets.
- The client is responsible for paying the bills of the project (staging and production environment).
- Even though the client is responsible for paying the bills, we must have access to the environments to deploy our code and to do other tasks related to development, testing, and operations.
- We can assign a team of developers to each project. It should be possible for a developer to be in one or more projects at the same time. Plus, it should be possible to move our developers between projects and to remove their access from a project.
So, is it possible to organize projects in AWS under the rules previously mentioned?
amazon-web-services cloud cloud-computing
edited May 31 at 8:39
Sven♦
88.6k10151202
asked May 30 at 19:36
GianMSGianMS
41
In our team, we are using AWS as our main cloud provider and currently, we have 3 projects hosted on their platform.
We are about to have 2 more projects in the next weeks, but first, we want to organize our projects, because our current organization is a little bit disordered.
We want our projects to be organized following these rules:
- Each project must have a staging and production environment.
- Each project is independent of each other so that it is not possible to see the resources of a project from within another project, i.e., VPC and S3 Buckets.
- The client is responsible for paying the bills of the project (staging and production environment).
- Even though the client is responsible for paying the bills, we must have access to the environments to deploy our code and to do other tasks related to development, testing, and operations.
- We can assign a team of developers to each project. It should be possible for a developer to be in one or more projects at the same time. Plus, it should be possible to move our developers between projects and to remove their access from a project.
So, is it possible to organize projects in AWS under the rules previously mentioned?
amazon-web-services cloud cloud-computing
amazon-web-services cloud cloud-computing
edited May 31 at 8:39
Sven♦
88.6k10151202
asked May 30 at 19:36
GianMSGianMS
41
edited May 31 at 8:39
Sven♦
88.6k10151202
asked May 30 at 19:36
GianMSGianMS
41
edited May 31 at 8:39
Sven♦
88.6k10151202
edited May 31 at 8:39
Sven♦
88.6k10151202
edited May 31 at 8:39
Sven♦
88.6k10151202
88.6k10151202
asked May 30 at 19:36
GianMSGianMS
41
asked May 30 at 19:36
GianMSGianMS
41
asked May 30 at 19:36
GianMSGianMS
41
41
cross post: devops.stackexchange.com/q/8272/40
– Pierre.Vriens
May 31 at 5:20
1
Never crosspost. delete either this or the other question
– Sven♦
May 31 at 8:39
add a comment |
cross post: devops.stackexchange.com/q/8272/40
– Pierre.Vriens
May 31 at 5:20
1
Never crosspost. delete either this or the other question
– Sven♦
May 31 at 8:39
cross post: devops.stackexchange.com/q/8272/40
– Pierre.Vriens
May 31 at 5:20
cross post: devops.stackexchange.com/q/8272/40
– Pierre.Vriens
May 31 at 5:20
1
1
Never crosspost. delete either this or the other question
– Sven♦
May 31 at 8:39
Never crosspost. delete either this or the other question
– Sven♦
May 31 at 8:39
add a comment |
1 Answer
1
active
oldest
votes
Your primary options for logical organisation are:
- Everything one one account / one VPC with separation by tagging or subnets (not ideal)
- One account / one VPC per application per environment (bettter)
- One account for each application per environment (IMHO best for larger organisations, but has some overhead for smaller organisations)
The primary considerations are:
- Ease of enabling or preventing access, particularly if your accounts are federated with AD. It's handy to just add someone to an AD group to give them access, and remove them to revoke it, they just assume a role with the policy you want them to have
- Isolation between workloads
- Reducing blast radius
- Avoiding AWS API limits, which are per-account
- Cost allocation, which is ok with tags but easier with accounts (other than bandwidth if you use a central communications account or backhaul to on-premise)
- Monitoring
- Complexity - more accounts can be more difficult to manage, but the application isolation also helps reduce complexity
- Compliance - PCI compliance may be easier with separate accounts as you can more easily demonstrate isolation
AWS Landing Zone is AWS best practice in this area, you should read up on it. It uses AWS Organizations, which are really useful to do consolidated billing and to use service control policies. Transit Gateway is useful if you need to set up communications between the accounts. You can't just run the landing zone scripts and call that good enough, you still need to work on your networking, security, and user management, but it's a good start.
I've spent a lot of time considering this, this is just a brief answer. If you need more information please comment and I'll do my best to expand my answer.
answered May 31 at 6:42
TimTim
18.8k41951
Please, I would like to know more.
– GianMS
May 31 at 13:33
I've spent a lot of time working on just account structures for enterprises, plus more on compliance, networking, security, etc. There is more to know than what I've written but this is a good start.. Firstly though you'll need to be more specific about what you want to know, and secondly you need to do some reading on multi account architectures yourself so you know what questions to ask. There are some useful articles you can find on Google.
– Tim
May 31 at 19:26
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f969555%2fhow-to-organize-projects-in-aws%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Your primary options for logical organisation are:
- Everything one one account / one VPC with separation by tagging or subnets (not ideal)
- One account / one VPC per application per environment (bettter)
- One account for each application per environment (IMHO best for larger organisations, but has some overhead for smaller organisations)
The primary considerations are:
- Ease of enabling or preventing access, particularly if your accounts are federated with AD. It's handy to just add someone to an AD group to give them access, and remove them to revoke it, they just assume a role with the policy you want them to have
- Isolation between workloads
- Reducing blast radius
- Avoiding AWS API limits, which are per-account
- Cost allocation, which is ok with tags but easier with accounts (other than bandwidth if you use a central communications account or backhaul to on-premise)
- Monitoring
- Complexity - more accounts can be more difficult to manage, but the application isolation also helps reduce complexity
- Compliance - PCI compliance may be easier with separate accounts as you can more easily demonstrate isolation
AWS Landing Zone is AWS best practice in this area, you should read up on it. It uses AWS Organizations, which are really useful to do consolidated billing and to use service control policies. Transit Gateway is useful if you need to set up communications between the accounts. You can't just run the landing zone scripts and call that good enough, you still need to work on your networking, security, and user management, but it's a good start.
I've spent a lot of time considering this, this is just a brief answer. If you need more information please comment and I'll do my best to expand my answer.
answered May 31 at 6:42
TimTim
18.8k41951
Please, I would like to know more.
– GianMS
May 31 at 13:33
I've spent a lot of time working on just account structures for enterprises, plus more on compliance, networking, security, etc. There is more to know than what I've written but this is a good start.. Firstly though you'll need to be more specific about what you want to know, and secondly you need to do some reading on multi account architectures yourself so you know what questions to ask. There are some useful articles you can find on Google.
– Tim
May 31 at 19:26
add a comment |
Your primary options for logical organisation are:
- Everything one one account / one VPC with separation by tagging or subnets (not ideal)
- One account / one VPC per application per environment (bettter)
- One account for each application per environment (IMHO best for larger organisations, but has some overhead for smaller organisations)
The primary considerations are:
- Ease of enabling or preventing access, particularly if your accounts are federated with AD. It's handy to just add someone to an AD group to give them access, and remove them to revoke it, they just assume a role with the policy you want them to have
- Isolation between workloads
- Reducing blast radius
- Avoiding AWS API limits, which are per-account
- Cost allocation, which is ok with tags but easier with accounts (other than bandwidth if you use a central communications account or backhaul to on-premise)
- Monitoring
- Complexity - more accounts can be more difficult to manage, but the application isolation also helps reduce complexity
- Compliance - PCI compliance may be easier with separate accounts as you can more easily demonstrate isolation
AWS Landing Zone is AWS best practice in this area, you should read up on it. It uses AWS Organizations, which are really useful to do consolidated billing and to use service control policies. Transit Gateway is useful if you need to set up communications between the accounts. You can't just run the landing zone scripts and call that good enough, you still need to work on your networking, security, and user management, but it's a good start.
I've spent a lot of time considering this, this is just a brief answer. If you need more information please comment and I'll do my best to expand my answer.
answered May 31 at 6:42
TimTim
18.8k41951
Please, I would like to know more.
– GianMS
May 31 at 13:33
I've spent a lot of time working on just account structures for enterprises, plus more on compliance, networking, security, etc. There is more to know than what I've written but this is a good start.. Firstly though you'll need to be more specific about what you want to know, and secondly you need to do some reading on multi account architectures yourself so you know what questions to ask. There are some useful articles you can find on Google.
– Tim
May 31 at 19:26
add a comment |
Your primary options for logical organisation are:
- Everything one one account / one VPC with separation by tagging or subnets (not ideal)
- One account / one VPC per application per environment (bettter)
- One account for each application per environment (IMHO best for larger organisations, but has some overhead for smaller organisations)
The primary considerations are:
- Ease of enabling or preventing access, particularly if your accounts are federated with AD. It's handy to just add someone to an AD group to give them access, and remove them to revoke it, they just assume a role with the policy you want them to have
- Isolation between workloads
- Reducing blast radius
- Avoiding AWS API limits, which are per-account
- Cost allocation, which is ok with tags but easier with accounts (other than bandwidth if you use a central communications account or backhaul to on-premise)
- Monitoring
- Complexity - more accounts can be more difficult to manage, but the application isolation also helps reduce complexity
- Compliance - PCI compliance may be easier with separate accounts as you can more easily demonstrate isolation
AWS Landing Zone is AWS best practice in this area, you should read up on it. It uses AWS Organizations, which are really useful to do consolidated billing and to use service control policies. Transit Gateway is useful if you need to set up communications between the accounts. You can't just run the landing zone scripts and call that good enough, you still need to work on your networking, security, and user management, but it's a good start.
I've spent a lot of time considering this, this is just a brief answer. If you need more information please comment and I'll do my best to expand my answer.
answered May 31 at 6:42
TimTim
18.8k41951
Your primary options for logical organisation are:
- Everything one one account / one VPC with separation by tagging or subnets (not ideal)
- One account / one VPC per application per environment (bettter)
- One account for each application per environment (IMHO best for larger organisations, but has some overhead for smaller organisations)
The primary considerations are:
- Ease of enabling or preventing access, particularly if your accounts are federated with AD. It's handy to just add someone to an AD group to give them access, and remove them to revoke it, they just assume a role with the policy you want them to have
- Isolation between workloads
- Reducing blast radius
- Avoiding AWS API limits, which are per-account
- Cost allocation, which is ok with tags but easier with accounts (other than bandwidth if you use a central communications account or backhaul to on-premise)
- Monitoring
- Complexity - more accounts can be more difficult to manage, but the application isolation also helps reduce complexity
- Compliance - PCI compliance may be easier with separate accounts as you can more easily demonstrate isolation
AWS Landing Zone is AWS best practice in this area, you should read up on it. It uses AWS Organizations, which are really useful to do consolidated billing and to use service control policies. Transit Gateway is useful if you need to set up communications between the accounts. You can't just run the landing zone scripts and call that good enough, you still need to work on your networking, security, and user management, but it's a good start.
I've spent a lot of time considering this, this is just a brief answer. If you need more information please comment and I'll do my best to expand my answer.
answered May 31 at 6:42
TimTim
18.8k41951
edited May 31 at 9:31
answered May 31 at 6:42
TimTim
18.8k41951
answered May 31 at 6:42
TimTim
18.8k41951
answered May 31 at 6:42
TimTim
18.8k41951
18.8k41951
Please, I would like to know more.
– GianMS
May 31 at 13:33
I've spent a lot of time working on just account structures for enterprises, plus more on compliance, networking, security, etc. There is more to know than what I've written but this is a good start.. Firstly though you'll need to be more specific about what you want to know, and secondly you need to do some reading on multi account architectures yourself so you know what questions to ask. There are some useful articles you can find on Google.
– Tim
May 31 at 19:26
add a comment |
Please, I would like to know more.
– GianMS
May 31 at 13:33
I've spent a lot of time working on just account structures for enterprises, plus more on compliance, networking, security, etc. There is more to know than what I've written but this is a good start.. Firstly though you'll need to be more specific about what you want to know, and secondly you need to do some reading on multi account architectures yourself so you know what questions to ask. There are some useful articles you can find on Google.
– Tim
May 31 at 19:26
Please, I would like to know more.
– GianMS
May 31 at 13:33
Please, I would like to know more.
– GianMS
May 31 at 13:33
I've spent a lot of time working on just account structures for enterprises, plus more on compliance, networking, security, etc. There is more to know than what I've written but this is a good start.. Firstly though you'll need to be more specific about what you want to know, and secondly you need to do some reading on multi account architectures yourself so you know what questions to ask. There are some useful articles you can find on Google.
– Tim
May 31 at 19:26
I've spent a lot of time working on just account structures for enterprises, plus more on compliance, networking, security, etc. There is more to know than what I've written but this is a good start.. Firstly though you'll need to be more specific about what you want to know, and secondly you need to do some reading on multi account architectures yourself so you know what questions to ask. There are some useful articles you can find on Google.
– Tim
May 31 at 19:26
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f969555%2fhow-to-organize-projects-in-aws%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
cross post: devops.stackexchange.com/q/8272/40
– Pierre.Vriens
May 31 at 5:20
1
Never crosspost. delete either this or the other question
– Sven♦
May 31 at 8:39