AWS whitepapers documentation change
Summary
Formatting changes including header adjustments (bold to markdown headers), URL fixes, and minor text corrections. Updated links to AWS Control Tower documentation and internal OU references.
Security assessment
Changes are structural (headers, links) or grammatical. No explicit security vulnerability fixes or new security guidance introduced. Security-related content (e.g., MFA, identity providers) was already present and only reformatted.
Diff
diff --git a/whitepapers/latest/organizing-your-aws-environment/implementation.md b/whitepapers/latest/organizing-your-aws-environment/implementation.md index 8a0893c7a..3056aa2a7 100644 --- a//whitepapers/latest/organizing-your-aws-environment/implementation.md +++ b//whitepapers/latest/organizing-your-aws-environment/implementation.md @@ -30 +30 @@ Your environment might start with a small number of accounts, and as the number -**Managing your own operations** +### Managing your own operations @@ -32 +32 @@ Your environment might start with a small number of accounts, and as the number -When starting on AWS, you should evaluate your business goals and determine your future operating model, and decide which technology to use when building your multi-account environment. If you are planning on managing your own environment, start by evaluating [AWS Control Tower](https://docs.aws.amazon.com/controltower/latest/userguide/getting-started-with-control-tower). +When starting on AWS, you should evaluate your business goals and determine your future operating model, and decide on which technology to use when building your multi- account environment. If you are planning on managing your own environment, start by evaluating [AWS Control Tower.](https://docs.aws.amazon.com/controltower/latest/userguide/getting-started-with-control-tower) @@ -34 +34 @@ When starting on AWS, you should evaluate your business goals and determine your -AWS Control Tower is a service built based on the guidance included in this paper, making it the preferred solution for new-to-the-cloud customers looking for a service-managed environment. AWS Control Tower offers a simplified experience and automatically deploys your initial environment, helping you manage the multi-account environment efficiently, leveraging other AWS services. For a complete list of these services, refer to the [AWS Control Tower](https://docs.aws.amazon.com/controltower/latest/userguide/how-control-tower-works) user guide. +AWS Control Tower is a service built based on the guidance included in this paper, making it the preferred solution for new-to-the-cloud customers looking for a service-managed environment. AWS Control Tower offers a simplified experience and automatically deploys your initial environment, helping you manage the multi-account environment efficiently, using other AWS services. For a complete list of these services, refer to the [AWS Control Tower](https://docs.aws.amazon.com/controltower/latest/userguide/getting-started-with-control-tower) user guide. @@ -36 +36 @@ AWS Control Tower is a service built based on the guidance included in this pape -**Operations managed by AWS or AWS Partners** +### Operations managed by AWS or AWS Partners @@ -38 +38 @@ AWS Control Tower is a service built based on the guidance included in this pape -AWS and Partners can help you operate, update, monitor, or deploy your environment and your workload infrastructure, with [AWS Managed Services](https://aws.amazon.com/managed-services/features/) and AWS Partners have offerings that can help with your operations. +AWS and AWS Partners can help you operate, update, monitor, or deploy your environment and your workload infrastructure, with [AWS Managed Services](https://aws.amazon.com/managed-services/features/) and AWS Partners have offerings that can help with your operations. @@ -40 +40 @@ AWS and Partners can help you operate, update, monitor, or deploy your environme -**Hybrid operations (mix of customer and AWS managed)** +### Hybrid operations (mix of customer and AWS managed) @@ -67 +67 @@ AWS has seen many challenges for customers because they have grown organically w -One of the foundational operational capabilities that will enable your ability to manage change effectively is to use infrastructure as code technologies and automation to build and deploy your workloads in AWS. This basic capability might be perceived as being part of your _[Infrastructure OU](./infrastructure-ou-and-accounts.html)_ , but these are foundational capabilities for all OUs. +One of the foundational operational capabilities that will enable your ability to manage change effectively is to use infrastructure as code technologies and automation to build and deploy your workloads in AWS. This basic capability might be perceived as being part of your [Infrastructure OU](./foundational-ous.html#infrastructure-ou), but these are foundational capabilities for all OUs. @@ -71 +71 @@ One of the foundational operational capabilities that will enable your ability t -Amazon has “commitment to operational excellence” as one of its four guiding principles of who we are. We have an operational model that enables rapid decisions and autonomy. The way you operate your business is a primary consideration in how you organize your environment. In many companies, this doesn’t change regularly, and changes should always be made with careful consideration of the business impact of the change. Your [Operating Model](https://docs.aws.amazon.com/wellarchitected/latest/operational-excellence-pillar/operating-model.html) could be aligned by business unit, regulatory restrictions, area of expertise, and/or organic growth. You might have a need for multiple operational models, for different businesses or business units. The ability for you to meet your goals using AWS is fundamentally affected by your ability to run your operational model. +Amazon has "commitment to operational excellence" as one of its four guiding principles of who we are. We have an operational model that enables rapid decisions and autonomy. The way you operate your business is a primary consideration in how you organize your environment. In many companies, this doesn't change regularly, and changes should always be made with careful consideration of the business impact of the change. Your [Operating Model](https://docs.aws.amazon.com/wellarchitected/latest/operational-excellence-pillar/operating-model.html) could be aligned by business unit, regulatory restrictions, area of expertise, and/or organic growth. You might have a need for multiple operational models, for different businesses or business units. The ability for you to meet your goals using AWS is fundamentally affected by your ability to run your operational model. @@ -75 +75 @@ Amazon has “commitment to operational excellence” as one of its four guiding -The _[Security OU and accounts](./security-ou-and-accounts.html)_ is a foundational OU. Using a central [identity provider](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers.html) enables you to centrally manage both the identities of the people and services that will need to access resources in your environment, and the permissions associated with that access. To prevent a single source of compromise, consider having more than one identity provider. If you do not currently have an identity provider, consider [AWS IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/manage-your-accounts.html). This also provides a central place to enforce multi-factor authentication and provide [ federated](https://aws.amazon.com/identity/federation/) access into your environment. Evaluate your capabilities and operational model between your [identity management](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/identity-management.html) and [Amazon S3](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/permissions-management.html) permissions management (also known as access controls). +The [Security OU](./foundational-ous.html#security-ou) is a foundational OU. Using a central [identity provider](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers.html) enables you to centrally manage both the identities of the people and services that will need to access resources in your environment, and the permissions associated with that access. To prevent a single source of compromise, consider having more than one identity provider. If you do not currently have an identity provider, consider [AWS IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/manage-your-accounts.html). This also provides a central place to enforce multi-factor authentication and provide [federated](https://aws.amazon.com/identity/federation/) access into your environment. Evaluate your capabilities and operational model between your [identity management](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/identity-management.html) and [Amazon S3](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/permissions-management.html) permissions management (also known as access controls). @@ -77 +77 @@ The _[Security OU and accounts](./security-ou-and-accounts.html)_ is a foundatio -Next, set up the security capabilities (for example: [centralized log storage](https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/centralized-logging-and-multiple-account-security-guardrails.html), encryption and [key management](https://docs.aws.amazon.com/kms/latest/developerguide/overview.html), [secrets management](https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html), and [incident response](https://docs.aws.amazon.com/wellarchitected/latest/framework/a-incident-response.html) capabilities) in the appropriate environment. You can then use these operational capabilities as you reorganize other parts of your operations. Decide if you want to have a security “read only” account to manage and use cross-account access in your environment, or use federated roles directly to access individual accounts in your environment. +Next, set up the security capabilities (for example: , encryption and [key management](https://docs.aws.amazon.com/kms/latest/developerguide/overview.html), [secrets management](https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html), and [incident response](https://docs.aws.amazon.com/wellarchitected/latest/framework/a-incident-response.html) capabilities) in the appropriate environment. You can then use these operational capabilities as you reorganize other parts of your operations. Decide if you want to have a security "rea[centralized log storage](https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/centralized-logging-and-multiple-account-security-guardrails.html)d only" account to manage and use cross-account access in your environment, or use federated roles directly to access individual accounts in your environment. @@ -83 +83 @@ The following capabilities can be built as you scale and deploy workloads, or in - * Data de-identification and data isolation (which is normally part of the individual workloads in your _[Workloads OU](./workloads-ou.html)_.) + * Data de-identification and data isolation (which is normally part of the individual workloads in your [Workloads OU](./application-ous.html#workloads-ou).) @@ -85 +85 @@ The following capabilities can be built as you scale and deploy workloads, or in - * Patching (which might use your _[Deployments OU](./deployments-ou.html)_ to patch golden machine and container images) + * Patching (which might use your [Deployments OU](./advanced-ous.html#deployments-ou) to patch golden machine and container images) @@ -96 +96 @@ Next, consider implementing hard isolation between your production environment a - * [Network connectivity](https://docs.aws.amazon.com/wellarchitected/latest/management-and-governance-lens/networkconnectivity.html), in your _Infrastructure OU and accounts_ and Workloads OU + * [Network connectivity](https://docs.aws.amazon.com/wellarchitected/latest/management-and-governance-lens/networkconnectivity.html), in your Infrastructure OU and accounts, and Workloads OU. @@ -102 +102 @@ Next, consider implementing hard isolation between your production environment a - * [Tagging](https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html), in all OUs + * [Tagging,](https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html) in all OUs @@ -108 +108 @@ Next, consider implementing hard isolation between your production environment a - * Developer experience and tools, in your _[Sandbox OU](./sandbox-ou.html)_ , as well as in your Deployments and Workload OUs + * Developer experience and tools, in your [Sandbox OU](./experimental-ous.html#sandbox-ou), as well as in your Deployments and Workload OUs @@ -115 +115 @@ It is not uncommon to have basic connectivity to and from your local networks an -#### Networking considerations in a multi-account environment +### Networking considerations in a multi-account environment @@ -117 +117 @@ It is not uncommon to have basic connectivity to and from your local networks an -The number of VPCs a customer operates is usually related to the number of accounts, regulatory requirements (such as the payment card industry (PCI), and compliant/non-PCI compliant), and staged environments (such as prod, dev, and test). With an increasing number of VPCs (account isolated or not), give careful consideration to cross-VPC connectivity management. This is an essential part of the customer’s network operation. Additionally, IP address management becomes a key contributing factor to enabling scalability and future growth. You might consider designs that are built around IPv6 adoption that can be driven by the need to scale your network, or by a strategic initiative. Current recommendations for three specific areas in cross-VPC and hybrid connectivity can be grouped by: +The number of VPCs a customer operates is usually related to the number of accounts, regulatory requirements (such as the payment card industry (PCI), and compliant/non-PCI compliant), and staged environments (such as prod, dev, and test). With an increasing number of VPCs (account isolated or not), give careful consideration to cross-VPC connectivity management. This is an essential part of the customer's network operation. Additionally, IP address management becomes a key contributing factor to enabling scalability and future growth. You might consider designs that are built around IPv6 adoption that can be driven by the need to scale your network, or by a strategic initiative. Current recommendations for three specific areas in cross-VPC and hybrid connectivity can be grouped by: @@ -121 +121 @@ The number of VPCs a customer operates is usually related to the number of accou - * **Network security** — Building [centralized](https://docs.aws.amazon.com/whitepapers/latest/organizing-your-aws-environment/infrastructure-ou-and-accounts.html) or distributed inspection points for accessing the internet and VPC-to-VPC traffic needs to account for the different options, such as [AWS Network Firewall](https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html), [AWS Gateway Load Balancer](https://docs.aws.amazon.com/elasticloadbalancing/latest/gateway/introduction.html), and [AWS Web Application Firewall](https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html). + * **Network security** — Building [centralized](./foundational-ous.html#infrastructure-ou) or distributed inspection points for accessing the internet and VPC-to-VPC traffic needs to account for the different options, such as [AWS Network Firewall](https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html), [AWS Gateway Load Balancer](https://docs.aws.amazon.com/elasticloadbalancing/latest/gateway/introduction.html), and [AWS Web Application Firewall](https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html). @@ -123 +123 @@ The number of VPCs a customer operates is usually related to the number of accou - * **DNS management** — Resolving DNS within the AWS and hybrid environments at scale involves both right-sizing and choosing the deployment model that best suits the organization’s scaling and growth goals. Inbound and outbound Route 53 Resolver endpoints can be centralized or distributed, depending on the operations and management models, and involve different needs across the AWS network environment. + * **DNS management** — Resolving DNS within the AWS and hybrid environments at scale involves both right-sizing and choosing the deployment model that best suits the organization's scaling and growth goals. Inbound and outbound Route 53 Resolver endpoints can be centralized or distributed, depending on the operations and management models, and involve different needs across the AWS network environment. @@ -130 +130 @@ The number of VPCs a customer operates is usually related to the number of accou -To achieve agility and autonomy, your environment will separate into organizational boundaries. Align your workload environments (both production and non-production) with these organizational boundaries to ensure you enable further agility and autonomy. As you grow and expand, it is common to create new boundaries and move workloads to ensure you continue to have these business capabilities. This could further affect your operational capabilities, such as [backups and disaster recovery](https://docs.aws.amazon.com/wellarchitected/latest/framework/a-failure-management.html), [support](https://docs.aws.amazon.com/wellarchitected/latest/operational-excellence-pillar/operate.html), template management, records management, and sorting and searching via metadata in your workloads OU. Consider centralizing the management of these capabilities to simplify the realignment. You can use [tag policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_tag-policies.html) as a means to classify the workloads. You can [use AWS Backup](https://docs.aws.amazon.com/aws-backup/latest/devguide/create-cross-account-backup.html) to [back up to a designated location](https://docs.aws.amazon.com/aws-backup/latest/devguide/manage-cross-account.html) in your environment and allow you to [centralize protection and monitoring](https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-backup.html) of your backups. +To achieve agility and autonomy, your environment will separate into organizational boundaries. Align your workload environments (both production and non-production) with these organizational boundaries to ensure you enable further agility and autonomy. As you grow and expand, it is common to create new boundaries and move workloads to ensure you continue to have these business capabilities. This could further affect your operational capabilities, such as [backups and disaster recovery](https://docs.aws.amazon.com/wellarchitected/latest/framework/a-failure-management.html), [support](https://docs.aws.amazon.com/wellarchitected/latest/operational-excellence-pillar/operate.html), template management, records management, and sorting and searching via metadata in your workloads OU. Consider centralizing the management of these capabilities to simplify the realignment. You can use tag policies as a means to classify the workloads. You can use [tag policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_tag-policies.html) as a means to classify the workloads. You can [use AWS Backup](https://docs.aws.amazon.com/aws-backup/latest/devguide/create-cross-account-backup.html) to [back up to a designated location](https://docs.aws.amazon.com/aws-backup/latest/devguide/manage-cross-account.html) in your environment and allow you to [centralize protection and monitoring](https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-backup.html) of your backups. @@ -134 +134 @@ To achieve agility and autonomy, your environment will separate into organizatio -You should consider creating an _[Exceptions OU](./exceptions-ou.html)_. Also, consider creating a _[Policy Staging OU](./policy-staging-ou.html)_. As your business might either acquire or divest parts of your business, consider having a _[Transitional OU](./transitional-ou.html)_ to enable an area to change the policies to align with new requirements. As you deprecate accounts, you will want a _[Suspended OU](./suspended-ou.html)_ to contain these accounts until you are comfortable having them permanently removed. You should consider creating a _[Business Users OU](./individual-business-users-ou.html)_ to enable business users and teams who need access to manage AWS resources directly, rather than management by the Workload OU. +You should consider creating an [Exceptions OU](./procedural-ous.html#exceptions-ou). Also, consider creating a [Policy Staging OU](./procedural-ous.html#policy-staging-ou). As your business might either acquire or divest parts of your business, consider having a [Transitional OU](./procedural-ous.html#transitional-ou) to enable an area to change the policies to align with new requirements. As you deprecate accounts, you will want a [Suspended OU](./procedural-ous.html#suspended-ou) to contain these accounts until you are comfortable having them permanently removed. You should consider creating a [Individual Business Users OU](./advanced-ous.html#individual-business-users-ou) to enable business users and teams who need access to manage AWS resources directly, rather than management by the Workload OU. @@ -138 +138 @@ You should consider creating an _[Exceptions OU](./exceptions-ou.html)_. Also, c -The reorganization will require movement of accounts, or migrations of workloads between accounts if you have deployed workloads in accounts that don’t align with your desired operational model. There are mechanisms to [ move accounts between organizations and organizational units](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_ous.html#move_account_to_ou), but if your new approach indicates some workloads in an account should belong to one organizational unit and other workloads belong to another organizational unit, you will have misalignment. To align the accounts with the operational model, you will have to migrate workloads between existing accounts, or to new accounts. The methods and capabilities to migrate between accounts are similar to [ accomplish these migrations](https://aws.amazon.com/prescriptive-guidance/). +The reorganization will require movement of accounts, or migrations of workloads between accounts if you have deployed workloads in accounts that don't align with your desired operational model. There are mechanisms to [move accounts between organizations and organizational units](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_ous.html#move_account_to_ou), but if your new approach indicates some workloads in an account should belong to one organizational unit and other workloads belong to another organizational unit, you will have misalignment. To align the accounts with the operational model, you will have to migrate workloads between existing accounts, or to new accounts. The methods and capabilities to migrate between accounts are similar to [accomplish these migrations.](https://aws.amazon.com/prescriptive-guidance/) @@ -146 +146 @@ AWS Organizations provides the underlying infrastructure and capabilities for cu -AWS has the following resources available to help you establish your multi-account environment using AWS Organizations: +AWS has the following resources available for help you establish your multi-account environment using AWS Organizations: @@ -163 +163 @@ AWS Control Tower provides a simplified way to set up and govern a secure, multi -The OU structure that AWS Control Tower initially deploys is slightly different from the guidance in this paper, review [Establish your multi-account environment with AWS Control Tower](https://docs.aws.amazon.com/whitepapers/latest/organizing-your-aws-environment/establish-your-multi-account-environment-with-control-tower.html) for a detailed implementation and mapping between the AWS Control Tower implementation and the guidance offered in this paper. +The OU structure that AWS Control Tower initially deploys is slightly different from the guidance in this paper, review [AWS multi-account environment with Control Tower](https://docs.aws.amazon.com/controltower/latest/userguide/aws-multi-account-landing-zone.html) for a detailed implementation and mapping between the AWS Control Tower implementation and the guidance offered in this paper. @@ -165 +165 @@ The OU structure that AWS Control Tower initially deploys is slightly different -AWS has the following resources available to help you establish your multi-account environment using AWS Control Tower: +AWS has the following resources available for help you establish your multi-account environment using AWS Control Tower: @@ -178 +178 @@ AWS Managed Services (AMS) uses AWS services and a growing library of automation -For additional information, refer to [AWS Managed Services features](https://aws.amazon.com/managed-services/features/). +For additional information, refer to [AWS Managed Services features.](https://aws.amazon.com/managed-services/features/)