Multi_strategy
Chapter 48: Multi-Region & Multi-Account Strategies
Section titled “Chapter 48: Multi-Region & Multi-Account Strategies”Enterprise AWS Architecture Patterns
Section titled “Enterprise AWS Architecture Patterns”48.1 Overview
Section titled “48.1 Overview”Multi-region and multi-account strategies are essential for enterprise AWS deployments, enabling isolation, security, and global presence.
Multi-Region & Multi-Account Overview+------------------------------------------------------------------+| || +------------------------+ || | Enterprise Strategy | || +------------------------+ || | || +---------------------+---------------------+ || | | | | || v v v v || +----------+ +----------+ +----------+ +----------+ || | Multi | | Multi | | Network | | Security | || | Account | | Region | | Hub | | Controls | || | | | | | | | | || | - Isolate| | - Global | | - Transit| | - SCPs | || | - Govern | | - DR | | - Connect| | - GuardDuty| || | - Scale | | - Latency| | - Central| | - SecurityHub| || +----------+ +----------+ +----------+ +----------+ || |+------------------------------------------------------------------+Key Concepts
Section titled “Key Concepts”| Concept | Description |
|---|---|
| AWS Organizations | Manage multiple AWS accounts |
| Organizational Units | Group accounts for policy application |
| Service Control Policies | Restrict AWS service access |
| Landing Zone | Automated multi-account setup |
48.2 Multi-Account Strategy
Section titled “48.2 Multi-Account Strategy”Account Structure
Section titled “Account Structure” Multi-Account Structure+------------------------------------------------------------------+| || Organization || +----------------------------------------------------------+ || | | || | Management Account (Payer) | || | +------------------------------------------------------+ | || | | - Billing and payment | | || | | - Organization management | | || | | - Reserved Instance management | | || | +------------------------------------------------------+ | || | | || | Security OU | || | +------------------------------------------------------+ | || | | - Security account (Audit) | | || | | - Log archive account | | || | +------------------------------------------------------+ | || | | || | Shared Services OU | || | +------------------------------------------------------+ | || | | - Network account (Hub) | | || | | - Shared services account | | || | +------------------------------------------------------+ | || | | || | Workloads OU | || | +------------------------------------------------------+ | || | | - Development accounts | | || | | - Testing accounts | | || | | - Production accounts | | || | +------------------------------------------------------+ | || | | || | Sandbox OU | || | +------------------------------------------------------+ | || | | - Experimentation accounts | | || | | - Proof of concept accounts | | || | +------------------------------------------------------+ | || | | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+Account Types
Section titled “Account Types” Account Types and Purposes+------------------------------------------------------------------+| || Account Type | Purpose || -----------------------+---------------------------------------- || Management | Billing, organization management || Security | Security Hub, GuardDuty master || Log Archive | Centralized log storage || Network | Transit Gateway, DNS, VPN || Shared Services | Common services, AMI sharing || Development | Application development || Testing | QA and testing environments || Production | Production workloads || Sandbox | Experiments, POCs || |+------------------------------------------------------------------+AWS Organizations Configuration
Section titled “AWS Organizations Configuration”# Organization StructureResources: Organization: Type: AWS::Organizations::Organization Properties: FeatureSet: ALL
# Organizational Units SecurityOU: Type: AWS::Organizations::OrganizationalUnit Properties: Name: Security ParentId: !GetAtt Organization.RootId
SharedServicesOU: Type: AWS::Organizations::OrganizationalUnit Properties: Name: SharedServices ParentId: !GetAtt Organization.RootId
WorkloadsOU: Type: AWS::Organizations::OrganizationalUnit Properties: Name: Workloads ParentId: !GetAtt Organization.RootId
SandboxOU: Type: AWS::Organizations::OrganizationalUnit Properties: Name: Sandbox ParentId: !GetAtt Organization.RootId
# Development OU under Workloads DevelopmentOU: Type: AWS::Organizations::OrganizationalUnit Properties: Name: Development ParentId: !Ref WorkloadsOU
ProductionOU: Type: AWS::Organizations::OrganizationalUnit Properties: Name: Production ParentId: !Ref WorkloadsOU48.3 Service Control Policies
Section titled “48.3 Service Control Policies”SCP Structure
Section titled “SCP Structure” Service Control Policies+------------------------------------------------------------------+| || Policy Inheritance || +----------------------------------------------------------+ || | | || | Organization Root | || | +------------------------------------------------------+ | || | | FullAWSAccess (Default) | | || | +------------------------------------------------------+ | || | | | || | v | || | Production OU | || | +------------------------------------------------------+ | || | | DenyExpensiveServices | | || | | RequireEncryption | | || | +------------------------------------------------------+ | || | | | || | v | || | Production Account | || | +------------------------------------------------------+ | || | | Inherited: FullAWSAccess | | || | | Inherited: DenyExpensiveServices | | || | | Inherited: RequireEncryption | | || | +------------------------------------------------------+ | || | | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+SCP Examples
Section titled “SCP Examples”{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyExpensiveServices", "Effect": "Deny", "Action": [ "redshift:*", "cloudsearch:*", "es:*" ], "Resource": "*", "Condition": { "StringNotEquals": { "aws:PrincipalTag/Role": "DataTeam" } } } ]}{ "Version": "2012-10-17", "Statement": [ { "Sid": "RequireEncryption", "Effect": "Deny", "Action": [ "s3:PutObject", "rds:CreateDBInstance", "ec2:RunInstances" ], "Resource": [ "arn:aws:s3:::*/*", "arn:aws:rds:*:*:db:*", "arn:aws:ec2:*:*:instance/*" ], "Condition": { "Bool": { "s3:x-amz-server-side-encryption": "false", "rds:StorageEncrypted": "false", "ec2:Encrypted": "false" } } } ]}{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyRegions", "Effect": "Deny", "Action": "*", "Resource": "*", "Condition": { "StringNotEquals": { "aws:RequestedRegion": [ "us-east-1", "us-west-2", "eu-west-1" ] } } } ]}SCP Deployment
Section titled “SCP Deployment”# SCP DeploymentResources: DenyExpensiveServicesSCP: Type: AWS::Organizations::Policy Properties: Name: DenyExpensiveServices Description: Deny access to expensive services Type: SERVICE_CONTROL_POLICY Content: | { "Version": "2012-10-17", "Statement": [ { "Sid": "DenyExpensiveServices", "Effect": "Deny", "Action": [ "redshift:*", "cloudsearch:*" ], "Resource": "*" } ] } TargetIds: - !Ref SandboxOU
RequireEncryptionSCP: Type: AWS::Organizations::Policy Properties: Name: RequireEncryption Description: Require encryption for storage services Type: SERVICE_CONTROL_POLICY Content: | { "Version": "2012-10-17", "Statement": [ { "Sid": "RequireEncryption", "Effect": "Deny", "Action": [ "s3:PutObject" ], "Resource": "*", "Condition": { "StringNotEquals": { "s3:x-amz-server-side-encryption": "aws:kms" } } } ] } TargetIds: - !Ref ProductionOU48.4 Multi-Region Architecture
Section titled “48.4 Multi-Region Architecture”Region Selection
Section titled “Region Selection” Region Selection Criteria+------------------------------------------------------------------+| || Latency || +----------------------------------------------------------+ || | - Choose regions closest to users | || | - Consider network latency | || | - Use CloudFront for global distribution | || +----------------------------------------------------------+ || || Compliance || +----------------------------------------------------------+ || | - Data residency requirements | || | - Regulatory compliance (GDPR, HIPAA) | || | - Industry-specific regulations | || +----------------------------------------------------------+ || || Service Availability || +----------------------------------------------------------+ || | - Not all services available in all regions | || | - Check service availability matrix | || | - Consider service pricing by region | || +----------------------------------------------------------+ || || Cost || +----------------------------------------------------------+ || | - Pricing varies by region | || | - Data transfer costs between regions | || | - Consider Reserved Instance availability | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+Multi-Region Architecture Patterns
Section titled “Multi-Region Architecture Patterns” Multi-Region Patterns+------------------------------------------------------------------+| || Pattern 1: Global Application with Regional Data || +----------------------------------------------------------+ || | | || | Route53 (Global) | || | | | || | +----------------+----------------+ | || | | | | | || | v v v | || | +--------+ +--------+ +--------+ | || | | US | | EU | | APAC | | || | | Region | | Region | | Region | | || | +--------+ +--------+ +--------+ | || | | | | | || | v v v | || | +--------+ +--------+ +--------+ | || | | Local | | Local | | Local | | || | | DB | | DB | | DB | | || | +--------+ +--------+ +--------+ | || | | || +----------------------------------------------------------+ || || Pattern 2: Active-Active Multi-Region || +----------------------------------------------------------+ || | | || | Route53 (Latency-Based) | || | | | || | +----------------+----------------+ | || | | | | | || | v v v | || | +--------+ +--------+ +--------+ | || | | US |<----->| EU |<----->| APAC | | || | | Region | | Region | | Region | | || | +--------+ +--------+ +--------+ | || | | | | | || | v v v | || | +----------------------------------------------+ | || | | Aurora Global Database | | || | +----------------------------------------------+ | || | | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+Global Database Configuration
Section titled “Global Database Configuration”# Aurora Global DatabaseResources: GlobalCluster: Type: AWS::RDS::GlobalCluster Properties: GlobalClusterIdentifier: app-global-cluster Engine: aurora-postgresql EngineVersion: "14.7" DatabaseName: appdb StorageEncrypted: true DeletionProtection: true
# Primary cluster (us-east-1) PrimaryCluster: Type: AWS::RDS::DBCluster Properties: GlobalClusterIdentifier: !Ref GlobalCluster Engine: aurora-postgresql EngineVersion: "14.7" DBClusterParameterGroupName: default.aurora-postgresql14 DBSubnetGroupName: !Ref DBSubnetGroup VpcSecurityGroupIds: - !Ref DBSecurityGroup EnableCloudwatchLogsExports: - postgresql
PrimaryInstance1: Type: AWS::RDS::DBInstance Properties: DBClusterIdentifier: !Ref PrimaryCluster Engine: aurora-postgresql DBInstanceClass: db.r6g.xlarge AvailabilityZone: us-east-1a
PrimaryInstance2: Type: AWS::RDS::DBInstance Properties: DBClusterIdentifier: !Ref PrimaryCluster Engine: aurora-postgresql DBInstanceClass: db.r6g.xlarge AvailabilityZone: us-east-1b
# Secondary cluster (eu-west-1) - deployed in separate region # SecondaryCluster: # Type: AWS::RDS::DBCluster # Properties: # GlobalClusterIdentifier: !Ref GlobalCluster # Engine: aurora-postgresql # Region: eu-west-1DynamoDB Global Tables
Section titled “DynamoDB Global Tables”# DynamoDB Global TableResources: GlobalTable: Type: AWS::DynamoDB::GlobalTable Properties: TableName: ApplicationData AttributeDefinitions: - AttributeName: PK AttributeType: S - AttributeName: SK AttributeType: S KeySchema: - AttributeName: PK KeyType: HASH - AttributeName: SK KeyType: RANGE BillingMode: PAY_PER_REQUEST StreamSpecification: StreamViewType: NEW_AND_OLD_IMAGES Replicas: - Region: us-east-1 PointInTimeRecoverySpecification: PointInTimeRecoveryEnabled: true - Region: eu-west-1 PointInTimeRecoverySpecification: PointInTimeRecoveryEnabled: true - Region: ap-southeast-1 PointInTimeRecoverySpecification: PointInTimeRecoveryEnabled: true48.5 Network Hub Architecture
Section titled “48.5 Network Hub Architecture”Centralized Network Hub
Section titled “Centralized Network Hub” Network Hub Architecture+------------------------------------------------------------------+| || Network Account (Hub) || +----------------------------------------------------------+ || | | || | +------------------+ +------------------+ | || | | Transit Gateway | | Direct Connect | | || | | | | Gateway | | || | | - Central routing| | - On-premises | | || | | - Cross-account | | connectivity | | || | +------------------+ +------------------+ | || | | | || | v | || | +------------------------------------------------------+ | || | | Shared VPC | | || | | +----------+ +----------+ +----------+ | | || | | | Firewall | | VPN | | NAT | | | || | | | Subnet | | Subnet | | Gateway | | | || | | +----------+ +----------+ +----------+ | | || | +------------------------------------------------------+ | || | | || +--------------------------+-------------------------------+ || | || +------------------+------------------+ || | | | || v v v || +----------+ +----------+ +----------+ || | Dev | | Test | | Prod | || | Account | | Account | | Account | || | (Spoke) | | (Spoke) | | (Spoke) | || +----------+ +----------+ +----------+ || | | | || v v v || VPC Attachment VPC Attachment VPC Attachment || |+------------------------------------------------------------------+Transit Gateway Configuration
Section titled “Transit Gateway Configuration”# Transit GatewayResources: TransitGateway: Type: AWS::EC2::TransitGateway Properties: Description: Central Transit Gateway AmazonSideAsn: 64512 AutoAcceptSharedAttachments: enable DefaultRouteTableAssociation: enable DefaultRouteTablePropagation: enable DnsSupport: enable VpnEcmpSupport: enable Tags: - Key: Name Value: Central-TGW
# Transit Gateway Route Table TransitGatewayRouteTable: Type: AWS::EC2::TransitGatewayRouteTable Properties: TransitGatewayId: !Ref TransitGateway Tags: - Key: Name Value: Main-RouteTable
# Share Transit Gateway with other accounts TransitGatewayShare: Type: AWS::RAM::ResourceShare Properties: Name: TransitGateway-Share ResourceArns: - !Sub "arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:transit-gateway/${TransitGateway}" Principals: - !Ref DevelopmentAccountId - !Ref ProductionAccountId Tags: - Key: Name Value: TGW-ShareVPC Attachment
Section titled “VPC Attachment”# VPC Attachment (in spoke account)Resources: TransitGatewayAttachment: Type: AWS::EC2::TransitGatewayVpcAttachment Properties: TransitGatewayId: !Ref TransitGatewayId # From RAM share VpcId: !Ref VPC SubnetIds: - !Ref SubnetA - !Ref SubnetB - !Ref SubnetC Tags: - Key: Name Value: Spoke-Attachment
# Route to Transit Gateway RouteToTGW: Type: AWS::EC2::Route Properties: RouteTableId: !Ref PrivateRouteTable DestinationCidrBlock: 0.0.0.0/0 TransitGatewayId: !Ref TransitGatewayId48.6 Centralized Logging
Section titled “48.6 Centralized Logging”Log Aggregation Architecture
Section titled “Log Aggregation Architecture” Centralized Logging Architecture+------------------------------------------------------------------+| || Log Archive Account || +----------------------------------------------------------+ || | | || | +------------------+ +------------------+ | || | | S3 Bucket | | OpenSearch | | || | | (Log Archive) | | Domain | | || | | | | | | || | | - CloudTrail | | - Log Analytics | | || | | - CloudWatch | | - Dashboards | | || | | - VPC Flow Logs | | - Alerting | | || | | - Application | | | | || | +------------------+ +------------------+ | || | | || +--------------------------+-------------------------------+ || ^ || +------------------+------------------+ || | | | || +----------+ +----------+ +----------+ || | Dev | | Test | | Prod | || | Account | | Account | | Account | || | | | | | | || | - Logs | | - Logs | | - Logs | || | - Metrics| | - Metrics| | - Metrics| || +----------+ +----------+ +----------+ || |+------------------------------------------------------------------+CloudTrail Organization Trail
Section titled “CloudTrail Organization Trail”# Organization CloudTrailResources: OrganizationTrail: Type: AWS::CloudTrail::Trail Properties: TrailName: OrganizationTrail IsOrganizationTrail: true IsMultiRegionTrail: true EnableLogFileValidation: true IncludeGlobalServiceEvents: true S3BucketName: !Ref LogArchiveBucket S3KeyPrefix: cloudtrail/ CloudWatchLogsLogGroupArn: !GetAtt CloudWatchLogGroup.Arn CloudWatchLogsRoleArn: !Ref CloudWatchLogsRole Tags: - Key: Name Value: Organization-Trail
LogArchiveBucket: Type: AWS::S3::Bucket Properties: BucketName: organization-log-archive VersioningConfiguration: Status: Enabled BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: SSEAlgorithm: aws:kms KMSMasterKeyID: !Ref LogKMSKey PublicAccessBlockConfiguration: BlockPublicAcls: true BlockPublicPolicy: true IgnorePublicAcls: true RestrictPublicBuckets: true LifecycleConfiguration: Rules: - Id: ArchiveOldLogs Status: Enabled Transitions: - TransitionInDays: 90 StorageClass: GLACIER ExpirationInDays: 365
# Bucket policy for CloudTrail LogArchiveBucketPolicy: Type: AWS::S3::BucketPolicy Properties: Bucket: !Ref LogArchiveBucket PolicyDocument: Version: '2012-10-17' Statement: - Sid: AWSCloudTrailAclCheck Effect: Allow Principal: Service: cloudtrail.amazonaws.com Action: s3:GetBucketAcl Resource: !Sub "arn:aws:s3:::${LogArchiveBucket}" - Sid: AWSCloudTrailWrite Effect: Allow Principal: Service: cloudtrail.amazonaws.com Action: s3:PutObject Resource: !Sub "arn:aws:s3:::${LogArchiveBucket}/cloudtrail/*" Condition: StringEquals: s3:x-amz-acl: bucket-owner-full-control48.7 Security Hub Centralization
Section titled “48.7 Security Hub Centralization”Security Hub Architecture
Section titled “Security Hub Architecture” Security Hub Multi-Account+------------------------------------------------------------------+| || Security Account (Administrator) || +----------------------------------------------------------+ || | | || | +------------------+ +------------------+ | || | | Security Hub | | GuardDuty | | || | | (Master) | | (Master) | | || | | | | | | || | | - Aggregated | | - Aggregated | | || | | findings | | findings | | || | | - Cross-account | | - Cross-account | | || | | views | | detection | | || | +------------------+ +------------------+ | || | | || | +------------------+ +------------------+ | || | | Detective | | Inspector | | || | | (Master) | | (Master) | | || | +------------------+ +------------------+ | || | | || +--------------------------+-------------------------------+ || ^ || +------------------+------------------+ || | | | || +----------+ +----------+ +----------+ || | Member | | Member | | Member | || | Account | | Account | | Account | || | | | | | | || | - Local | | - Local | | - Local | || | findings| | findings| | findings| || +----------+ +----------+ +----------+ || |+------------------------------------------------------------------+Security Hub Configuration
Section titled “Security Hub Configuration”# Security Hub ConfigurationResources: SecurityHubMaster: Type: AWS::SecurityHub::Hub Properties: Tags: - Key: Name Value: Security-Hub-Master
# Enable standards SecurityHubStandards: Type: Custom::SecurityHubStandards Properties: ServiceToken: !GetAtt CustomResourceFunction.Arn Standards: - StandardsArn: arn:aws:securityhub:::rules/package/cis-aws-foundations-benchmark/v/1.2.0 - StandardsArn: arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0
# GuardDuty Master GuardDutyMaster: Type: AWS::GuardDuty::Detector Properties: Enable: true FindingPublishingFrequency: FIFTEEN_MINUTES DataSources: S3Logs: Enable: true Kubernetes: AuditLogs: Enable: true CloudTrail: Enable: true DNSLogs: Enable: trueMember Account Invitation
Section titled “Member Account Invitation”import boto3import json
def lambda_handler(event, context): """ Invite member accounts to Security Hub """
securityhub = boto3.client('securityhub') guardduty = boto3.client('guardduty')
# List of member account IDs member_accounts = [ '111111111111', '222222222222', '333333333333' ]
# Create Security Hub members securityhub.create_members( AccountDetails=[ {'AccountId': account_id, 'Email': f'admin+{account_id}@example.com'} for account_id in member_accounts ] )
# Invite members securityhub.invite_members( AccountIds=member_accounts )
# Create GuardDuty members detector_id = '12abc34d567e8fa901bc2d34e56789f0'
guardduty.create_members( DetectorId=detector_id, AccountDetails=[ {'AccountId': account_id, 'Email': f'admin+{account_id}@example.com'} for account_id in member_accounts ] )
# Invite to GuardDuty guardduty.invite_members( DetectorId=detector_id, AccountIds=member_accounts )
return { 'statusCode': 200, 'body': json.dumps({ 'message': 'Invitations sent', 'accounts': member_accounts }) }48.8 Control Tower
Section titled “48.8 Control Tower”Control Tower Overview
Section titled “Control Tower Overview” AWS Control Tower+------------------------------------------------------------------+| || Control Tower Components || +----------------------------------------------------------+ || | | || | Landing Zone | || | +------------------------------------------------------+ | || | | - Multi-account structure | | || | | - Security baseline | | || | | - Network baseline | | || | +------------------------------------------------------+ | || | | || | Guardrails | || | +------------------------------------------------------+ | || | | - Preventive (SCPs) | | || | | - Detective (Config Rules) | | || | | - Proactive (CloudFormation hooks) | | || | +------------------------------------------------------+ | || | | || | Account Factory | || | +------------------------------------------------------+ | || | | - Automated account provisioning | | || | | - Custom account templates | | || | | - Integration with Service Catalog | | || | +------------------------------------------------------+ | || | | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+Control Tower Guardrails
Section titled “Control Tower Guardrails” Control Tower Guardrails+------------------------------------------------------------------+| || Preventive Guardrails || +----------------------------------------------------------+ || | | || | - Disallow public S3 buckets | || | - Disallow public RDS snapshots | || | - Disallow root access keys | || | - Require MFA for root | || | - Disallow unapproved regions | || | | || +----------------------------------------------------------+ || || Detective Guardrails || +----------------------------------------------------------+ || | | || | - Detect public S3 buckets | || | - Detect unencrypted EBS volumes | || | - Detect public RDS instances | || | - Detect missing MFA | || | - Detect root console login | || | | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+48.9 Best Practices
Section titled “48.9 Best Practices”Multi-Account Best Practices
Section titled “Multi-Account Best Practices” Multi-Account Best Practices+------------------------------------------------------------------+| || 1. Account Strategy || +--------------------------------------------------------+ || | - Use separate accounts for environments | || | - Isolate production from non-production | || | - Use dedicated security accounts | || +--------------------------------------------------------+ || || 2. Governance || +--------------------------------------------------------+ || | - Implement SCPs at OU level | || | - Use tag policies for consistency | || | - Enable CloudTrail organization trail | || +--------------------------------------------------------+ || || 3. Security || +--------------------------------------------------------+ || | - Centralize security services | || | - Use Security Hub for aggregation | || | - Implement cross-account roles | || +--------------------------------------------------------+ || || 4. Networking || +--------------------------------------------------------+ || | - Use Transit Gateway for connectivity | || | - Centralize DNS and firewall | || | - Implement network segmentation | || +--------------------------------------------------------+ || |+------------------------------------------------------------------+Multi-Region Best Practices
Section titled “Multi-Region Best Practices”# Multi-Region Best Practices
## Data Residency- Understand compliance requirements- Choose regions that meet data residency needs- Implement region-specific encryption keys
## Latency Optimization- Use Route53 latency-based routing- Deploy CloudFront for static content- Consider edge locations for compute (Lambda@Edge)
## Disaster Recovery- Implement multi-region DR strategy- Use cross-region replication for data- Test failover procedures regularly
## Cost Management- Monitor inter-region data transfer costs- Use regional Reserved Instances- Consider Savings Plans for flexibility48.10 Key Takeaways
Section titled “48.10 Key Takeaways”| Topic | Key Points |
|---|---|
| Organizations | Use AWS Organizations for multi-account management |
| OUs | Group accounts by function for policy application |
| SCPs | Implement guardrails with Service Control Policies |
| Regions | Select regions based on latency, compliance, and cost |
| Hub | Centralize network, security, and logging |
| Control Tower | Use Control Tower for automated landing zone |
48.11 References
Section titled “48.11 References”Next Chapter: Chapter 49 - AWS Migration Strategies