1 of 12

Multi-Account AWS

Architectures &�Tools

Engin Doğusoy • 06.05.2023

2 of 12

Context�of�Experience

An IoT product

  • collecting data from 1.9M devices daily
  • collecting 2.4B updates per day
  • operated “currently” in 17 AWS accounts
  • with 135x size difference between accounts
  • running almost for 6 years
  • managed by a team of 2-3

3 of 12

Evolution of Multi-Account

4 of 12

The �Good

  • Focus on differentiating features
  • Account level separation simplifies legal
  • Separate billing enables pricing options
  • Scaling problem gets smaller
  • Easier to manage product fragmentation
  • Cohesive security posture

5 of 12

The �Bad

  • More expensive to operate
  • Requires early investment in automation
  • Complicates infrastructure management & deployments
  • Managing secrets become challenging
  • Requires centralized tooling for all functions of operation

6 of 12

Golden Rules

Use Organizations and most likely Control Tower too

Most new services come with Organizations support

Control Tower is great if you are starting from scratch

Infrastructure as Code from Day 1

Manage everything that goes into a product account

Use a IaC management SaaS with UI for easier adaptation of the team

Try not to fragment your stack

Try not to keep customer/environment specific branches

If you have to, turn them into feature flags

Have at least one constant environment identifier

Set it up at the root of your IaC stack, pass it to other modules

Make sure it is not hard coded or overwritten

7 of 12

Infrastructure Management & Deployment

8 of 12

Monitoring v1: Pull

9 of 12

Monitoring v2: Push - Pull

  • No unnecessary network exposure
  • No DNS management and registration
  • IAM signing is much more elegant than IP whitelisting
  • Operation tools are managed by AWS
  • Can be further evolved to support serverless computing options

10 of 12

Logging

  • Application should not know about the underlying pipeline
  • Resources within an account don’t know about other accounts
  • Cross-account Kinesis - Kinesis with IAM authentication
  • Same logic can be applied to other services such as EventBridge and CloudWatch
  • Additional persistence in the product account is optional

11 of 12

Security Posture

12 of 12

Thank you!

engin.dogusoy@gmail.com

engin.dogusoy@lifemote.com

lifemote.com