Content
Infrastructure security (whether in the cloud or not) is tightly bound to accounts, roles and identities. Table of Contents
There are multiple questions to consider when deciding on a cloud account strategy. Some examples include:
Billing - How will resource utilization and consumption be measured and reported. Will there need to be internal chargebacks?
Business models - Will central IT act as an institutional service provider for cloud infrastructure, or will there be multiple accounts across distributed IT and research groups? How will financial responsibility be distributed across different uses of cloud infrastructure?
Governance - How will resources be allocated, secured, controlled and audited?
Operational - How will operational management, enterprise integration, network integration and AWS service limits be architected and managed?
Recommendations
The following should be considered as some best practices for account strategy and be adapted to meet the organizational needs:
- Develop and enforce common tagging practices which meet minimum requirements for billing and chargeback
- Implement a consolidated single master account which provides billing consolidation and reporting across all institutional units (sub-accounts)
- Define a sub-account creation policy based on specific requirements for isolation or delegation as per governance and security requirements; initially it is recommended to segregate based on operating environment (i.e., production vs. non-production)
- Consider additional VPCs as boundaries for workloads that require specialized controls
- Leverage a common services model using VPC peering to minimize duplication of resources across accounts
AnchorPSU IAM SAML Provisioning PSU IAM SAML Provisioning
AWS Provisioning and IAM Roles at Penn State
PSU IAM SAML Provisioning | |
PSU IAM SAML Provisioning |
This information has moved here.
Securing Workloads of Differing Sensitivities in AWS at UNC Chapel Hill -
...