Reference architecture for AWS Multi-Account Customers

Illustration of reference-org-architecture
December 18, 2021 | Reading time 5 min
Link has been copied to clipboard.


Customers with an AWS multi-account environment are quickly confronted with the related challenges. How should the cloud responsibility be transferred to the different organizational units?

Our Nuvibit reference architecture provides a solution to this challenge. The reference architecture considers and implements best practices from the following sources:

- AWS Landing Zone and AWS Control Tower
- Apply security services across your AWS organization
- AWS Security Reference Architecture
- Multi Account Network Architecture

In addition, our experience with AWS multi-account environments has been included in this reference architecture.

Our Nuvibit reference architecture is a realization of a Inhouse AWS Platform in the sense of Gregor Hohpe - The Magic of Platforms [1] [2] and is a implementation of the Core Domains of the Nuvibit Cloud Foundation, which are fully covered in the blog post Nuvibit Cloud Foundation Map.

Illustration of foundation-core-domains

AWS Account Domains

Not all accounts are the same and are used for the same kind of workloads and purposes. To maintain a clear overview, we divide the AWS accounts into three domains:

-Foundation Core
-Foundation Shared Service
-Business Workload

Domain Description
Foundation Core Accounts that host core components of the Nuvibit Cloud Foundation and are managed by the Cloud Foundation Core Team(s).
Foundation Shared Service Account that host shared services and platforms (streaming platform, data lake, analitics platform, API management) and are managed by the Cloud Foundation Shared Service Team(s).
Business Workload Accounts that host all the components of the business applications and are managed by the Cloud Workload Development Team(s).

The following graphic serves as an example and gives an overview of the different accounts, categorized by domains:

Illustration of aws-foundation-account-types

We recommend setting up the following Foundation Core Accounts and at least two accounts per business application. Foundation Shared Service Accounts are optional and whether you need them depends on your individual requirements.

Domain Account Type Description
Foundation Core AWS Organizations Management AWS Organization, Organization-unit (OU) and service control policy (SCP) management. Consolidated billing over the AWS organization
Foundation Core Core Account Lifecycle Account lifecycle management including vending, baselining and retirement.
Foundation Core Core Security Aggregation of AWS Config, AWS Security Hub and Amazon GuardDuty.
Our security event management solution SEMPER is also a citizen of this account.
Foundation Core Core Logging Log aggregation and archiving account. No direct access to ensure log integrity.
Foundation Core Core Monitoring Hosts your central monitoring solutions (i.e. AWS OpenSearch, Splunk, etc).
This account is separated from the Core Logging account to protect the log archive from tampering. The integrity of the log archive has to be protected rigorously.
Foundation Core Core Image Factory Amazon Machine Image (AMI) building account. AMIs are built in this account and shared across the AWS organization.
Foundation Core Core Networking Core connectivity services (Transit Gateway, Route53, Direct Connect, VPN).
Optional: Shared VPCs for the whole AWS organization to ensure the network configuration is not altered by the Business Workload teams.
Foundation Shared Service Shared Services Shared Service Accounts host services or platforms used by multiple Business Workloads. Great examples would be a shared streaming platform like Kafka (i.e. MSK), a data lake solution, an active directory service or a shared Kubernetes cluster (i.e. EKS).
Business Workload Workload How you organize your business workload accounts, is up to you. We recommend to have at least two accounts per business workload to separate production workloads from non-production workloads and reduce the blast radius. Also this enables you to apply different rules and policies to production and non-production accounts.

Foundation Core Domain - Account Baseline

The Capabilities in the Nuvibit Foundation Core Domain typically consist not only of the Foundation Core Accounts but also require some components to be deployed in all Accounts within the AWS organization.
Those distributed components are summarized in the term Account Baseline.
The Account Baseline includes account hardening, implementing compliance and security policies as well as wiring up the accounts with the Foundation Core Accounts.

This Account Baseline is managed in a central place and rolled out to all AWS accounts within the AWS organization.

Illustration of aws-foundation-core

We strongly recommended to provision all resources used for the Foundation Core Capabilities via Infrastructure as Code. From experience, we rely exclusively on Terraform for this purpose.

Our service

Nuvibit specializes in providing Cloud Foundation Capabilities to organizations.

We will tailor our Foundation Blueprint to your needs and enable you to deliver Foundation Capabilities to your Cloud Workload Development Teams with a high level of maturity.

Get in touch with us for further details.