Secure your AWS Infrastructure: Part 1 - Isolate accounts and environments

We have begun to post a series of articles to show tactics/methods to protect your AWS infrastructure. These are techniques we learnt from several sources on the web including AWS documentation, Cloud security white papers, StackExchange, Reddit and so on. We have put a large majority of these to use in our own AWS accounts in the current and the past.

This is Part 1, dealing with how to safeguards accounts by isolating workload and access.

If you are hosting on AWS today, chances are that you have different environments such as Internal - dev, testing, pre-prod, benchmark, etc., and External - production-eu, production-us, customer1, customer2, etc.,

It may be convenient to host all of them under 1 AWS account, say in 1 region or different regions. But this approach has severe disadvantages such as:

1. Single point of failure: Say one of your IAM key pairs are compromised. Having all resources in 1 account will put all resources in that account including production environment under risk.

2. Accidental access: If developers are using cloud resources for day to day development cycle, they may accidentally use wrong cloud resource IDs in their scripts or actions and end up modifying production resources which might cause downtime or data loss.

3. Unintentional permissions overload: While inviting users in IAM, it is very difficult to draft IAM policies to isolate resources and give access to them. So admins tend to give them administrator access temporarily to get the task done. This with humane error can stay for long and end up being a risk for the account.

4. Difficult to isolate costs: This is not a security concern but an operational concern. If all environment servers are running in the same AWS account, it is more difficult to analyse costs per environment (staging, test, prod) unless a good tagging system in place to isolate resources and analyse. It is also more difficult to isolate and set budget alerts for each environment.

It is a good step forward if you isolate servers of internal and external environments using different AWS accounts. Say you can have 1 AWS account to host production environment and another one for all your internal environments.

All the above concerns are solved to a great extent or easily handled if resources run in their own environment specific AWS account. No single point of failure, no accidental access, easy way to isolate costs (this time per account) and no permissions overload.

AWS has made it super easy to create and manage multiple accounts. Here is the overview of the process:

1. Create an AWS organisation: From your current single account, create a new AWS organisation. And set the current account as root account. Bills & credits are automatically centrally organised, presented and settled in the root account by AWS.

   1. If you already have multiple distinct accounts, pick the one that has credits attached to it, as the root account and create the Organisation under that account. Saves the trouble of transferring credits later.

2. In Organisations console from inside the root AWS account, create new AWS sub-accounts. Say, one for each environment - dev, testing, staging, prod etc.,. Each of these sub-accounts are regular AWS accounts. AWS assigns each of them a unique account ID as usual.

3. Under each AWS sub-account, invite appropriate engineers as you would do any IAM invitation workflow. Bulk of your org can use dev, testing and staging accounts for example. And let production sub-account be accessed by only certain individuals.

🎉 This will instantly elevate your security posture with regards to AWS access. AWS organisation is free to setup. Checkout their documentation on how to create AWS org and sub accounts: https://aws.amazon.com/organizations/getting-started/

In LocalOps, we have made it very easy for you to connect more than one AWS account as "Connections" and deploy test, staging, production, customer-1-us, customer-2-eu environments across your unique AWS accounts. Checkout https://localops.co if you haven't done so and sign up for free if you want to manage environments and accounts seamlessly.

We plan to publish next set of techniques every other day. Follow us on X or LinkedIn if you want to get alerts when we publish.

Cheers.