Cradle to Grave:

An AWS Account Lifecycle Management Story

November 17, 2021

ITS - Enterprise Infrastructure

Overview

ITS - Enterprise Infrastructure

A Short View Back to the Past

ITS - Enterprise Infrastructure

Provisioning

• Azure Automation
• Root e-mail creation
• Credentials sent to Enterprise Vault
• AWS Account Creation
• AWS Organizations
• Account Setup
• Mixture of Organizations/SCPs and custom code
• VPC, if needed
• Cloud Inventory
• REST API
• CloudCheckr
• Initial synchronization and billing data access

​

​

​

ITS - Enterprise Infrastructure

Maintenance

• New services/features
• Organizations, custom code
• Changes to account access management
• Azure Automation
• AWS Support Level Changes
• Exceptions to policy/best practices
• IAM User creation
• Public S3 account block
• Changes to billing or technical contacts
• Inventory API
• Changes to customer requirements
• VPC/VPN connectivity
• Resolving our own technical debt

​

ITS - Enterprise Infrastructure

The Past is the Present

ITS - Enterprise Infrastructure

Termination

• Account Deletion
• Mark account deleted in inventory
• Reclaim VPC IP range in inventory (if provisioned)

​

​

​

​

ITS - Enterprise Infrastructure

Future Steps

• Look more seriously at AWS Control Tower and AWS SSO
• Integrate account access management with in-house self-service tools
• Automated entry of inventory data during provisioning and termination
• Integration of inventory API with ticketing/workflow
• Further use of inventory to drive automated process
• Automated internal chargeback and invoicing
• Wait for AWS to allow us to delete accounts via the Organizations API

​

​

ITS - Enterprise Infrastructure

Q&A

Chris Lawrence

Cloud & OS Team Lead

christopher-lawrence@uiowa.edu