The team here at AWS Organizations has been busy developing new features to make it easier for you to manage multiple AWS accounts, whether you are automating new account creation, consolidating resources into a single bill, or maintaining access safeguards around your resources. There are many new announcements at AWS, so we’re starting this quarterly series to keep you up to date on the latest features from our team. Here’s the latest since re:Invent 2019:

Simplify deployment of resources across multiple accounts with AWS CloudFormation StackSets

As your business accelerates and your infrastructure grows with new accounts, a critical part of operating a multi-account environment is provisioning new AWS accounts with resources required to run your applications (such as IAM roles or EC2 instances). We’ve worked with AWS CloudFormation StackSets to make this process a whole lot easier. Historically you were required to build and provision the same set of resources and permissions in multiple new accounts across different organizations. With CloudFormation StackSets, you can now automatically deploy resources to new accounts in your organization without having to worry about setting up cross-account permissions.

To learn more about using CloudFormation StackSets in your organizations, click on the link to documentation.

Standardize tags across multiple accounts with tag policies

Tags help you centrally manage, search for, and filter AWS resources. You can use them in many ways, such as requiring tags to identify resources for cost allocation, or creating a “confidential” tag to control access to specific AWS resources for an unreleased product or application. To further increase your confidence in using tags, you can enable tag policies in your organization to ensure that developers apply consistent tags to resources. If tags are not compliant, you can generate a report to identify and correct them.

Refer to the documentation to learn more about enabling and using tag policies.

Easily audit access to your resources with Access Analyzer and actively monitor threats with Amazon GuardDuty

Developers commonly provide access to resources for business needs (such as read access Amazon Simple Cloud Storage Service (S3) to users who need to view data stored in S3). At times, those access policies remain active after they are no longer needed. To help in identifying these orphaned policies, or any others that permit outside access to your resources, we’ve integrated with Access Analyzer so you can review and mitigate external access to resources within your organization, or delegate this responsibility to a member account, such as one designated to your security team. For active monitoring, we’ve integrated with Guard Duty so you can identify and automatically mitigate threats to your resources at the organizational level.

Learn more about these features by visiting the announcement pages from Access Analyzer and Guard Duty.

In addition:
Don’t forget to check out AWS Health, which lets you view aggregated AWS Health events across your organizations, and also AWS Compute Optimizer, which helps you reduce unnecessary computing costs from EC2 instances utilized by accounts within your organizations.

Stay tuned for our next quarterly update coming this summer.


About the Author

headshotAndrew Blackham is a Product Manager for AWS Organizations. He has been working at Amazon for 5 years and is currently evangelizing the recommended method of building and scaling an AWS multi-account infrastructure. He knows there’s a lot of information and customization out there, which is why he works towards simplifying the process and instructions about how to build and maintain a cloud environment.