Loading

    AWS Organizations

    Adam ElmoreAdam Elmore

    Setting Up AWS Organizations

    To begin setting up our development environment, we need to start with AWS Organizations. AWS Organizations is a container that allows you to govern and manage multiple AWS accounts. You may be wondering why you would need multiple AWS accounts. It's generally a good idea to set up all of your production resources in an isolated AWS account. This way, you can limit access to production resources and prevent people from accidentally deploying to production when they meant to deploy to their development account.

    For this lesson, we'll have three AWS accounts inside an AWS Organization:

    1. Production Account: This account will be used to isolate production resources.
    2. Development Account: This will be a general-purpose development account. If you have multiple developers on your team, you can share this development account. If you're an individual, this will be your primary account for day-to-day development.
    3. Management Account: This is the account we set up earlier. The management account is only used for high-level setup, such as setting up the AWS Organization and configuring access through IAM Identity Center. No application-related resources should be deployed in the management account.

    Creating the AWS Organization

    To create the AWS Organization, search for "Organizations" in the AWS Management Console and click "Create an Organization." This will place your management account in an Organizational Unit (OU) within the root of the organization.

    Organizational Units are a way to structure your AWS accounts like a file tree and set up granular permissions for individual groups of accounts. For our simple setup, we'll keep all our accounts in the root OU.

    Adding Accounts to the Organization

    Next, we need to create our development and production accounts within the organization.

    1. Click "Add an AWS Account" and select "Create an AWS Account."
    2. Name the account "development" and provide an email address (e.g., aws+dev@example.com).
    3. Leave the IAM role name as the default and create the account.
    4. Repeat the process to create a "production" account with a different email address (e.g., aws+prod@example.com).

    You should now see the management account, development account, and production account within your AWS Organization.

    While this may seem like overkill for an individual working on side projects, it's a good practice to keep your production resources isolated. If it saves you from accidentally pushing development resources to production even once, it will be worth the setup.

    Next Steps

    With our AWS Organization and accounts set up, we can move on to configuring access and security through IAM Identity Center in the next lesson.

    Transcript

    To this point, we've really just been talking. We've looked at the console a bit, but it's time to get our hands dirty and actually do something. So to get started with setting up our development environment, we need to start with AWS organizations. Let's take a step back. Earlier, we set up an AWS account, And you may have thought everything we're going to do is going to live within that AWS account, that it's the root of everything in AWS.

    And to a certain extent it is, all of the resources that we're gonna deploy, whether that's websites or function code or buckets that store files, all of those things will be deployed in the context of a single AWS account. But AWS organizations are a container of AWS accounts. And they allow you to govern and manage multiple AWS accounts. Or you may be asking why would I need multiple AWS accounts? Great question, and I'll answer it for you now.

    It's generally a good idea to set up all of your production resources in an isolated AWS account. This way you can limit access to production resources, you don't have people accidentally deploying to production when they meant to deploy to their development account. So it's a good idea to have a separate account for production. Now some organizations, large organizations, will go crazy with this, and they'll have individual AWS accounts for every developer, multiple staging accounts, maybe a test account, and then production. We're gonna keep it super simple.

    For this lesson, by the end of it, we'll have three AWS accounts inside of an AWS organization. The first will be a production account, as we mentioned, just isolate production resources. The second account will be a development account. So a general purpose development account, but if you have multiple developers on your team, you can share that development account. If you're just an individual, then that's your primary account that you'll work in day-to-day as you're building out features.

    And then we'll have the management account, which is the account that we set up a few lessons ago. The management account is really only used for high level setup. So we're gonna set up the AWS organization in here, we're gonna set up access, so all the security access into the accounts through IAM Identity Center, that'll all be set up in the management account. But that's really it. Nothing application related should go into the management account.

    So let's get started with organizations and we're gonna do that by searching organizations in this top search bar. I've got it favorited here. And there's not a lot to this. To start, we're just gonna click create an organization. And you can see here, it's gonna put our management account in something called an organizational unit, or an OU.

    You can see the organizational structure here. We've got the root, this is our root OU, and we've got our one account, which we named earlier management account. So at this point, we have an AWS organization, and we're not gonna go like really deep into organizational units, but it's essentially a way to structure your AWS accounts like a file tree almost, and set up granular permissions for individual buckets of accounts. For individual buckets of accounts. So in the example I mentioned earlier with a large organization, where they might have several development accounts, one for each developer, you could have an organizational unit for developers or development and all of your developer accounts live in that, and you can govern it at that folder level, if you will.

    So you can use things called service control policies, SCPs, to say you can limit what resources can be used, how large of instances can be spun up, all kinds of things in terms of security and usage of AWS at the organizational unit level. We're not going to worry about that right now. All of our accounts, we're just going to put into the root because as I said, we're going to keep it super simple with just three accounts. So we now need to create our development and our production accounts. We're gonna click add an AWS account.

    And we're creating an AWS account, which is the default. You can also invite existing AWS accounts. We're gonna call this one development. And back to our email setup, this really depends on how you have your email configured. I can use kind of catch-all aliases, so I'm going to do AWS plus dev at atom.dev.

    We're going to leave the role name default, that's fine, I'm not going to add any tags, and I'm going to create AWS account. So that's going to spin for a second, we can go ahead and create a second AWS account. We're going to call this one production. I'm going to similarly name the email address AWS plus prod at Adam.dev. No tags, we're going to leave the IAM role name default and create a AWS account.

    Alright, so we've got those two additional accounts. You can see we've got the management account, development and production. This may seem like a lot of overkill. If you're just an individual and you're building side projects on AWS, maybe it's a lot, but I do recommend just going ahead and getting into this practice of keeping your production resources isolated. If it saves you one time where you accidentally pushed dev resources into prod, you'll be glad that you set it up this way.