I have some engineers that have built some things using EC2 instances. I built these instances logged in with my AWS administrator account (Root user?). Now, I want to create a PROD "container" that only certain users can see. Secondly, I’d like billing for this to be completely separate, if possible, so we can bill the customer directly. I’m looking for a structure like this:
- Customer 1
- PROD
- EC2 Instance 1
- EC2 Instance 2
- PROD
- DEV
- Customer 2
- PROD
- DEV
- Customer 2
And then separately, I’d like to be able to say "Engineer 1 can access Customer 1 – DEV" or "Engineer 2 can access Customer 2 – PROD".
I know how to do this in Azure, but AWS is confounding me. What would the containers/folders above be called? Organizations?
2
Answers
Use AWS Organizations and IAM Identity center. Create different accounts (and organizational units) for dev, prod, staging etc. workloads and grant access rights to certain accounts only for certain individuals. Even if the all accounts belong to same organization, you will be able to get cost reports for each account.
Rather easy to implement after reading documentation for those services.
Check also AWS Control Tower which can be used to create a secure landing zone for use case you described.
You should setup different AWS Accounts for each application environment, e.g. "Customer 1 – DEV", "Customer 1 – PROD", "Customer 2 – DEV" and so on. This way you can leverage AWS IAM on the account level to grant individual developers access and have a clean boundary for billing as well. I’d stay away from using tags for cost allocation, as that’s usually very hard to maintain clean.
To setup multiple AWS accounts, you need AWS Organizations. Organizations allows you to build a hierarchy of multiple AWS Accounts, just like an Azure Tenant with multiple Azure Management Groups and Subscriptions. In an AWS Organization you can designate one account as the "payer account" and that’s the one that receives all the consumption charges for all managed accounts in your org. These charges are broken down per account, so you can easily chargeback that cost to your customers.
If you have more than a handful of accounts, I’d recommend building a landing zone. AWS Control Tower is a good point to get started though there are other options.