Stephen Kuenzli

Founder of k9 Security

The most fundamental tools for organizing and protecting cloud resources are accounts: AWS accounts, GCP projects, and Azure subscriptions. Cloud accounts are architectural elements that create management, fault, and security boundaries. But many organizations do not use them properly, which puts the organization and its customers at risk.

The rule is: create a cloud account for each major use case your organization operates in the cloud.

I’ll show how to organize a large organization’s cloud accounts to deliver changes and operate safely. Tailor this to fit your needs. Let’s start with use cases shared across the organization, and then examine those for running end-user applications.

Every enterprise must support several use cases in their cloud deployment (the green in blue/green deployment). Provision the following accounts:

• The Security account contains the organization’s Cloud API activity logs (CloudTrail) and resource configuration inventory (Config). Ingest these logs into log search tools in the Shared Services account.

• Operate monitoring, logging, DNS, directory, and security tools in a Shared Services account. Collect telemetry from the cloud provider, your infrastructure, and your applications running in other accounts. People with high privileges in other accounts may use ...