GithubHelp home page GithubHelp logo

jrbeverly / aws-exp-organizations-policy Goto Github PK

View Code? Open in Web Editor NEW
0.0 2.0 0.0 9 KB

Experimenting with AWS SCPs & Organization Units

License: MIT License

Dockerfile 9.65% HCL 90.35%
aws-organizations

aws-exp-organizations-policy's Introduction

AWS Organization Structure Experiments - Mirrored Organizations

Experiments with AWS Organization structure and potential SCP policies.

Notes

  • The entire organization unit hierarchy shouldn't be a single entity for mirroring. Makes it difficult to evaluate in "isolation"
  • Entire organization mirrors can work with the SCPs, but internal permissions (e.g. S3 Bucket) still might have issues
  • Organizations should include a uniqueness component to allow for constructing a new version (& prototyping)
  • SCPs seem like they would benefit in cases where there is a sort of "State machine" in the SCP
  • State machine examples are "During provisioning of account, need to create IAM Users, but from then on no users should be created"
  • Account boundaries for services as a way of strictly locking things makes it easier to have DenyKMS and other such policies
  • Region denies only apply after provisioning, as we need to purge the "default VPCs" created when an AWS Account is created (+ any other "default" resources)
  • AWS Password Policy / AWS IAM Account Name / Etc are all good examples of something that should only need to be provisioned "once"
  • SCPs give a potential idea for the concept of "Immutable AWS Account Infrastructure", that require you to create a new AWS Account (+ migrate resources) rather than edit them
  • Sandbox/Staging organizations can contain the developer workloads that are for sandbox/development
  • Developer workloads should be contained within accoounts that can be created/decommissioned on a release schedule (see ubuntu - Bionic Beaver, Focal Fossa, Xenial Xerus)

More investigation is needed into this idea, as the exact "concern" that this kind of structure & SCP policy layout will handle is kind of vague. Although grouping AWS Accounts and associating tags with them can be useful for things like data residency / storage compliance, its not immediately clear how this design maps to the "problem" itself.

SCPs seem like they would be a good guardrail, but have concerns that it would encounter issues in cases with the rule being enforced at all times, vs a more state machine concept (e.g. [Provisioning (allowed) => Running (not allowed)])

aws-exp-organizations-policy's People

Contributors

jrbeverly avatar

Watchers

avatar avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.