AWS multi-account architecture with AWS Single Sign-On
Published in
3 min readJul 25, 2021
A multi-account architecture provides customer(s) complete governance, security, cost-optimized, and control over their AWS environment & resources.
With AWS Control Tower we get a landing zone by which we can easily create a secure, multi-account AWS environment using AWS Organization.
AWS Control Tower provides us:-
- Guardrails — Both Preventive & Detective Guardrails to enforce policies on the enrolled AWS Accounts
- Account Factory — To provision new AWS accounts and enroll existing ones with governed network configurations
Head towards AWS Console and AWS Control Tower service and follow the instructions to set up the landing zone.
By default, AWS will provision log archive and audit accounts as a part of the Foundational OU. You can add additional OUs as required as a part of your organizational governance.
The following architecture depicts a typical multi-account AWS environment with different Organizational Units (OUs) and accounts:-
