A workflow for creating new AWS Accounts
Creating aws accounts in a prescribed way
Table Of Contents
Today I Explained
Before creating a new AWS Account using the API or through the AWS Console, there are some procedures that should be considered beforehand. These are all things that can be automated using infrastructure as code or the API.
AWS Accounts should first be created within an ‘Exceptions’ organization unit at the root of the organization. Service control policies or stacksets can apply to these accounts if not explicitly isolated from the rest of the organization. This is important as it allows the bootstrapping process to occur without any other systems complicating the process. These kind of policies & stacks aren’t intended to be deployed in accounts in the “preparing” stage of the account lifecycle.
With the account created, it is necessary to enable all AWS Regions within the account. Not all AWS Regions are enabled by default, and doing this allows us to fully remove any default VPCs & security group rules from the account. When this has been completed, all optional aws regions can be disabled. With the default resources removed, the next steps are encoding the essentials. This expects that:
- The alternative contacts (billing, operations, security) are set, which can be done programmatically.
- The Contact information of the account is set, which can be done programmaticall
- Unsubscribing from the email preferences for the account email
- Assuming ownership of
OrganizationAccountAccessRole, and any essential service roles for the account (such asAWSServiceRoleForSupportorAWSServiceRoleForServiceQuotas) - Setting a baseline password policy for IAM users, even if IAM users are not expected to be in-use
- Configuring an IAM Account Alias
- Requesting any baseline service quotas that are necessary for all services
When the baseline has been created, the account can be moved into the intended organization unit, allowing for service control policies to take effect, and stacksetes to deploy organization stacks.