Advanced
Multi-Account Landing Zone
Set up enterprise-grade AWS organization with governance and security guardrails
Project Overview
Create a scalable, secure AWS multi-account structure using Control Tower, Organizations, and IAM Identity Center. Essential for enterprise environments.
Prerequisites
- Understanding of IAM and permissions
- Experience managing AWS accounts
- Knowledge of compliance and security concepts
- A "fresh" AWS account as management account
Architecture
Management Account
Organizations + Control Tower
↓
IAM Identity Center
SSO
SCPs
Guardrails
↓
Security OU
Log Archive
Workloads OU
Production
Sandbox OU
Development
Account Factory automates new account provisioning
Step-by-Step Instructions
1
Enable AWS Organizations
- Use a clean AWS account as management account
- Enable AWS Organizations
- Enable all features (not just consolidated billing)
- This account should NOT run workloads
- Secure with strong MFA and limited access
2
Set Up AWS Control Tower
- Launch Control Tower from the console
- Configure home region and governed regions
- Let Control Tower create Log Archive and Audit accounts
- Wait for setup to complete (~1 hour)
- Review created resources and baseline guardrails
3
Design Organizational Unit Structure
- Create Security OU (shared security services)
- Create Infrastructure OU (networking, shared services)
- Create Workloads OU (production accounts)
- Create Sandbox OU (development, experimentation)
- Consider nested OUs for larger organizations
4
Configure Service Control Policies
- Create SCPs to enforce security guardrails
- Deny actions: disabling CloudTrail, deleting VPC flow logs
- Restrict regions for compliance requirements
- Prevent leaving the organization
- Apply SCPs to appropriate OUs
5
Set Up IAM Identity Center
- Enable IAM Identity Center (formerly AWS SSO)
- Configure identity source (built-in, AD, external IdP)
- Create permission sets for different roles
- Assign users/groups to accounts
- Users get single sign-on to all assigned accounts
6
Implement Account Vending
- Use Account Factory in Control Tower
- Or create Service Catalog products
- Standardize account provisioning
- Include baseline configurations (VPC, security)
- Automate with Account Factory for Terraform (AFT)
Tips
- Use AWS SSO for centralized access - Single portal for all accounts, no need for separate IAM users
- Implement tag policies - Enforce consistent tagging for cost allocation
- Centralize logging in Log Archive account - CloudTrail, Config, and VPC flow logs
- Start with preventive guardrails - Easier than detecting and fixing violations later
Code Examples
Service Control Policy - Deny Region
deny-regions-scp.json
JSON
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyAllOutsideAllowedRegions",
"Effect": "Deny",
"NotAction": [
"iam:*",
"organizations:*",
"route53:*",
"budgets:*",
"support:*",
"cloudfront:*",
"globalaccelerator:*"
],
"Resource": "*",
"Condition": {
"StringNotEquals": {
"aws:RequestedRegion": [
"us-east-1",
"us-west-2",
"eu-west-1"
]
}
}
}
]
}SCP - Prevent Security Changes
protect-security-scp.json
JSON
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ProtectCloudTrail",
"Effect": "Deny",
"Action": [
"cloudtrail:DeleteTrail",
"cloudtrail:StopLogging",
"cloudtrail:UpdateTrail"
],
"Resource": "*"
},
{
"Sid": "ProtectConfig",
"Effect": "Deny",
"Action": [
"config:DeleteConfigRule",
"config:DeleteConfigurationRecorder",
"config:DeleteDeliveryChannel",
"config:StopConfigurationRecorder"
],
"Resource": "*"
},
{
"Sid": "DenyLeaveOrganization",
"Effect": "Deny",
"Action": "organizations:LeaveOrganization",
"Resource": "*"
}
]
}Create Organizational Units
Terminal Commands
BASH
# Get root ID
ROOT_ID=$(aws organizations list-roots --query 'Roots[0].Id' --output text)
# Create OUs
aws organizations create-organizational-unit \
--parent-id $ROOT_ID \
--name "Security"
aws organizations create-organizational-unit \
--parent-id $ROOT_ID \
--name "Infrastructure"
aws organizations create-organizational-unit \
--parent-id $ROOT_ID \
--name "Workloads"
aws organizations create-organizational-unit \
--parent-id $ROOT_ID \
--name "Sandbox"
# Attach SCP to an OU
aws organizations attach-policy \
--policy-id p-1234567 \
--target-id ou-xxxx-xxxxxxxxIAM Identity Center Permission Set
admin-permission-set.json
JSON
{
"Name": "AdministratorAccess",
"Description": "Full admin access to AWS accounts",
"SessionDuration": "PT4H",
"ManagedPolicies": [
"arn:aws:iam::aws:policy/AdministratorAccess"
],
"InlinePolicy": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyBillingAccess",
"Effect": "Deny",
"Action": [
"aws-portal:*",
"budgets:*"
],
"Resource": "*"
}
]
}
}Account Factory CloudFormation StackSet
account-baseline.yaml
YAML
AWSTemplateFormatVersion: '2010-09-09'
Description: Baseline configuration for new accounts
Resources:
# Enable AWS Config
ConfigRecorder:
Type: AWS::Config::ConfigurationRecorder
Properties:
Name: default
RoleARN: !GetAtt ConfigRole.Arn
RecordingGroup:
AllSupported: true
IncludeGlobalResourceTypes: true
# Security notification topic
SecurityAlertTopic:
Type: AWS::SNS::Topic
Properties:
TopicName: security-alerts
KmsMasterKeyId: alias/aws/sns
# CloudWatch alarm for root login
RootLoginAlarm:
Type: AWS::CloudWatch::Alarm
Properties:
AlarmName: RootAccountUsage
MetricName: RootAccountUsage
Namespace: CloudTrailMetrics
Statistic: Sum
Period: 300
EvaluationPeriods: 1
Threshold: 1
AlarmActions:
- !Ref SecurityAlertTopicWhat You'll Learn
- AWS Organizations structure and management
- Service Control Policies (SCPs) for governance
- Centralized logging and security monitoring
- Account vending automation with Account Factory
- IAM Identity Center for federated access