Previously, we explored the benefits of the security and fault boundaries provided by AWS accounts, and provisioning accounts to match your use cases in order to operate safely in the Cloud. Today, we’ll explore the AWS Organization service and why you should use it to manage your enterprise’s AWS accounts.
When you deploy distinct use cases into separate AWS accounts, you will accumulate AWS accounts quickly. Directors and VPs of the business units served by those accounts will thank you for their team’s increased autonomy. However, you’re likely to get frowns from the Finance folk if they receive 45 separate bill for AWS each month and spend a week figuring out which cost center each ties back to.
The AWS Organizations service helps you consolidate and manage a collection of AWS accounts at the enterprise level. From the user guide:
AWS Organizations is an account management service that enables you to consolidate multiple AWS accounts into an organization that you create and centrally manage. AWS Organizations includes consolidated billing and account management capabilities that enable you to better meet the budgetary, security, and compliance needs of your business. As an administrator of an organization, you can create accounts in your organization and invite existing accounts to join the organization.
Let’s unpack this a bit. The way Organizations works is that an administrator creates an AWS Organization in what will become the ‘master’ account for the Organization. You should use a dedicated account for this purpose as the use case is narrow and very powerful. Like “all powerful.”
Once you have created the AWS Organization for your enterprise, you can invite existing accounts to join the organization or create new accounts directly from the master account. If you’re building out a new account model, it’s easiest to provision new accounts from within the context of the Organization than to create them separately and join them later.
Within the Organization, you can create a hierarchy of Organizational Units (OUs) that accounts can be moved into. OUs aggregate accounts logically for billing, service control policy, and other purposes. Start your OU structure by mirroring the logical architecture of your AWS account design. For example, each business unit in the enterprise can have its own OU.
The screenshot shows QualiMente’s AWS organization, which is organized into Enterprise, Consulting, and Training OUs. Notice that a hierarchy is supported with ‘IAM Services’ belonging to the ‘Consulting’ OU.
Once AWS Accounts have been linked into an AWS Organization, several important features become available, starting with billing and cost management.
Simplifying Cost Accounting and Maximizing Discounts
When an account joins an AWS Organization, the charges for that account roll-up to the ‘master’ account. This greatly simplifies billing, cost accounting, and even taking advantage of discounts.
The first big billing feature is that you receive a single bill instead of one for each account.
The second feature Finance will love is being able to break down spending across the Organization by linked account. Here is the ‘Bill details by account’ view in the Billing service for the QualiMente org:
This data along with a whole bunch of contextual attributes can be exported to csv for analysis in your tool of choice. The AWS Cost Explorer provides a standard ‘Monthly Spend by Linked Account View’ report to perform an interactive analysis right in the AWS console.
The final Finance-friendly feature we’ll discuss is how Organizations affect discounts. Organizations aggregate spending from linked accounts into the master account. This means that the master account is usually the best place to apply that AWS discount or credit.
One significant and overlooked discount opportunity occurs with Reserved Instances (RIs). A reserved EC2 or RDS instance is an instance that you purchase for a one or three year term. In exchange for the extended commitment, you receive a discount of 40-60%. RIs are purchased and usable ‘in’ a specific account. A really valuable feature of Organizations is that if you purchase RIs in the master account, the discounts will be applied to the EC2 and RDS instance usages made in the Organization’s linked accounts as they roll up into the Organization’s bill.
This post has explained how and why you should start using AWS organizations, especially from a cost perspective. In the next post, we’ll explore how Organizations can help you manage and improve some aspects of Enterprise-wide security and compliance using some additional security features that can help keep the enterprise compliant with your industry’s standards.
Receive #NoDrama articles in your inbox whenever they are published. Reply to Stephen and the QualiMente team when you want to dig deeper into a topic.