Infrastructure security (whether in the cloud or not) is tightly bound to accounts, roles and identities.
There are multiple questions to consider when deciding on a cloud account strategy. Some examples include:
Billing - How will resource utilization and consumption be measured and reported. Will there need to be internal chargebacks?
Business models - Will central IT act as an institutional service provider for cloud infrastructure, or will there be multiple accounts across distributed IT and research groups? How will financial responsibility be distributed across different uses of cloud infrastructure?
Governance - How will resources be allocated, secured, controlled and audited?
Operational - How will operational management, enterprise integration, network integration and AWS service limits be architected and managed?
Recommendations
The following should be considered as some best practices for account strategy and be adapted to meet the organizational needs:
This information has moved here.
We are just getting started but we are looking at Landing Zone and Control Tower (https://aws.amazon.com/controltower/) as one way to implement auditing and compliance for workloads in AWS for our institution. Specifically, we are looking for a way to manage accounts, monitor the accounts, and set baseline policies for the accounts that are created for researchers or departments. We are also looking into Transit Gateway (https://aws.amazon.com/transit-gateway/) to manage network connections within AWS and back to campus. I expect many of you are already using Organizations (https://docs.aws.amazon.com/organizations/index.html) along with service control and/or AWS Config.
Just as the practice of syslogging events to a separate host is standard in on-premise environment, logging in cloud environments is also a good practice. In AWS, a technology called CloudTrail enables the ability to log any change to the infrastructure. Coupled with IAM policies, this functionality can ensure that a compromise of the environment can not be hidden.