AWS Organization & Accounts

We have our AWS account setup, now we're going to setup 3 more.

It is extremely useful to have a clear seperation between infrastructure that is created for production, development, and just experimentation. We can seperate even more than this, create clear boundaries for each developer or employee in a company, but for now we'll just focus on these three things:

  • Production infrastructure is precious and should be protected. We never want to accidentally mess anything up in production, or delete something by accident.
  • Development infrastructure is great for testing, it's still something that should be protected, but it's ok if things go wrong in development.
  • Experimentation infrastructure is nothing to worry about. Create and delete as much as you like just to test things out. Delete the entire account and start over if you want to, no big deal.

It turns out that the best way to seperate these things in AWS is to have a sperate account for each thing.

The current account that we have is going to be our management account. We won't really be using it much day-to-day, but it's the default account where we can manage billing and alarm and users etc. So we need three more accounts on top of this one.

In AWS, we do this by first creating an organization, then we can setup many different accounts within this organization.

AWS Organization AWS Organization

We can then create users that belong to the organization and are easily able to access each account with the same login. We could have an admin user that can create anything in any account, or an intern user that can only manage basic infrastructure in the playground account but has no access to the other accounts.

We'll setup a user in the next part, let's start by creating the organization.

step 1:

Search for organizations and select AWS Organizations

Search for organizations and select AWS Organizations
step 2:

Click on Create an organization This will setup an organization where you can manage multiple accounts.

Click on Create an organization This will setup an organization where you can manage multiple acc...

You'll be able to see your account that you already setup. This is the management account and we really want to limit the amount that we use this account directly. All resources that we make will exist in other accounts.

The only reason we will be logging into the management account right now is to view billing for every single account we make in this organization.

Create Accounts

step 3:

Click on Add an AWS account

Click on Add an AWS account
step 4:
  • Enter Production for the account name
  • Enter a new email address for the account's owner
  • Click Create AWS account
* Enter `Production` for the account name * Enter a new email address for the account's owner * C...
step 5:

Do the same thing for a Development account.

Do the same thing for a `Development` account.
step 6:

Do it one last time for the Playground account

Do it one last time for the `Playground` account

When all the accounts have finished setting up, your organization dashboard should look like this.

Show timestamps
00:00
So we have this root AWS account set up but we're actually gonna set up three more accounts
00:04
within this account which will give us a nice clean separation between different parts of our infrastructure.
00:10
So I'll show you what I mean by this We're gonna set up an AWS
00:14
organization which is gonna gonna be the umbrella for all of our accounts.
00:19
And then we'll have this root account which will be the management account It's where we have
00:22
root privileges we can view things like billing and we can set up other users And then what I
00:26
like to do is have three other accounts one for production, one for development, and one kind
00:31
of playground sandbox account where we can just play around and experiment with whatever we want
00:35
So if I had production infrastructure that people were relying on then this would go in the
00:40
production account and I know that anything going on in there shouldn't just be terminated or
00:45
played around with This is infrastructure that people are relying on So it's very important that
00:49
this doesn't get abused in any way And then in my development account this is where I might have
00:54
my staging environments my bits of infrastructure that I need for testing with other people And
00:59
if I were to terminate infrastructure in my development account it's probably okay It's not
01:03
production infrastructure, but I need to be just a tiny bit careful in there because we might
01:06
be doing some testing within that account And then my playground account is completely free for
01:10
me to do whatever I want I can play with new infrastructure I can tear it down I could even
01:14
terminate the entire playground account, and it would be okay because I'm not gonna put any
01:19
infrastructure in that account that anyone is depending on So if I remove infrastructure from my
01:24
production account it's probably a big deal I probably won't ever really do that In my
01:28
development account I gotta be a little bit careful there but not too careful And in my
01:31
playground account I don't have to be careful at all This is completely for experimentation.
01:35
And for this course this is where we're gonna be living most of the time It's gonna be in the playground account so that we can experiment with infrastructure.
01:41
We can set things up and tear them down without worrying about anything And then if at any part
01:44
through the course you wanna take what you've learned and set something up you wanna host a
01:48
portfolio website or set up a database for something and you want it to be long lived you can
01:52
throw that into your production account and not worry about terminating it accidentally because
01:56
it's in your playground account Once you get bigger as an organization you can create different
02:01
users that have different permissions within different accounts So the intern might have free
02:05
rein in the playground account but might not be able to do anything in the production account.
02:09
So this separation is really nice So we're gonna set up these different accounts And the first
02:13
thing we need to do is actually set up the organization so up in the top here I'm gonna search
02:17
for organization i'm gonna go to AWS organizations and we're gonna set up that organization that
02:22
is kind of the umbrella over all the different accounts So we'll create an organization now And
02:26
that immediately just sets up this this root organization and we currently have the root account
02:31
that we created already as the management account And again we don't wanna create any
02:35
infrastructure in here This is really just for managing the other accounts in here So we have
02:39
the management account that's already set up by default We wanna create the
02:42
production development and this playground sandbox account.
02:45
So I'm gonna go back in here and we're gonna add an AWS account and this is all within the same
02:50
dashboard We don't need to go through those initial steps again We're just gonna manage them all within this organization now.
02:56
So this is going to be my production account And then we
03:00
do need a different email address for each account that we create in this organization.
03:05
So if you're using something like Gmail you can create email aliases instead of having to set up
03:09
a new email address for each individual thing I just have my own domain for my email so I can
03:14
use uh whatever I want here I'm gonna go uh Sam production AWS at cloud course dot dev.
03:22
But this does need to be a different email address or a different email alias for each of the
03:26
accounts in this organization The I am role name is good and we can create that AWS account This
03:31
is currently being created So we won't see it show up in the list right now but we can go ahead
03:34
and keep creating the other account So the next one is gonna be development and I'm gonna say
03:39
Sam development AWS at cloud course dot dev again a different email address and then we'll
03:45
create this account And then I'm gonna add the final one here So playground Sam
03:51
playground AWS cloud course dot dev and that is all three accounts now set up I mean
03:58
they're pending So we should see them down here in just a few moments So those have finished
04:02
being created There are the four accounts within the organization.
04:05
And now we can move on to actually setting up an IAM user so that we can log in to these accounts