FinOps: The Future of FinOps is CloudOps Learn why

Blog Automation & Orchestration AWS

AWS Multi-Account Management with Kion

Austin Fuller

7 min read

Last updated on January 31st, 2023 at 4:15pm

The cloud promises to deliver innovation with increased flexibility, reliability, and scalability. However, as many organizations attempt to scale in the cloud, they encounter difficulty.

The Multi-Account Paradox is that a disproportionate amount of business value can only be realized once you have a number of AWS accounts in your environment that seems operationally untenable. More AWS accounts allow you to group workloads based on business purpose and ownership, promote innovation and agility, provide better cost visibility and management, constrain access to sensitive data, lower entry barriers to cloud adoption, and more.

But you can’t conceive of a way to provision and manage the number of AWS accounts you would need to achieve your desired outcomes while minimizing the increased risk. This conundrum is easily understood when looking at the amount of operational complexity and risk relative to the number of AWS accounts in an environment. If you could hypothetically quantify those values, it would look something like this graph.

Operational complexity and risk increase exponentially with the number of AWS accounts in a given environment.

To address the multi-account paradox and unlock the full value of the cloud, organizations need to implement effective account management through automation & orchestration and governance to remove all of the operational friction and risk associated with scaling a multi-account AWS environment.

Kion was purpose-built as the best single platform to establish and scale a well-governed, multi-account AWS environment. Kion becomes the arbiter for every AWS account, giving you a consolidated place to manage and automate everything about your AWS accounts, including policy application, identity federation, cloud access, and account provisioning.

The Organizational Chart

Kion provides visibility into your cloud environment using an organizational chart. You can create this chart to mirror your organization's functional structure, helping you retain visibility into the teams and departments who own cloud accounts and resources. The organizational chart is comprised of three units: organizational units (OUs), which serve as containers for projects and other OUs; projects, which are the unit that contains cloud accounts; and finally, your AWS accounts.

Visualize your AWS environment and automate vital governance tasks with Kion’s organizational chart.

More than simply arranging and functionally displaying your cloud environment, it is also a powerful automation mechanism. The organizational chart provides hierarchical inheritance of policies, compliance requirements, budgets, financial enforcement, and more.

Applying policies and compliance requirements at the top creates an organization-wide baseline that will apply to all OUs, projects, and accounts. This can be accomplished in minutes, and you can have full confidence that Kion will disseminate that baseline everywhere and always.

Sometimes you don’t want policies applied everywhere. You only need specific projects to have them. For example, many organizations have workloads that must adhere to strict compliance requirements – like HIPAA or PCI DSS, that apply only to that workload and not anything else. The organizational chart enables you to apply compliance standards only to the OUs or projects that need them and not others. All the descendent OUs and projects will inherit those compliance guardrails meaning you won’t need to worry about them being compliant as you scale them up. Compliance and security become baked-in. You only need to configure them once, avoiding duplicate effort.

An OU with inherited and unique policies applied to it through the organizational chart.

Policy Application and Management

The Organizational Chart makes it easy to automate the management, dissemination, and enforcement of the permutations of policies found in a multi-account AWS environment, but what about configuring them? How are the policies being enforced by Kion?

Kion uses a construct known as Cloud Rules. These are cloud provider agnostic ruleset generators that interact with Identity and access management (IAM), policies, permissions, compliance requirements, budgets, financial enforcements, and other parameters of your AWS accounts.

Cloud rules allow you to build holistic guardrails that give you a true “set it and forget it” experience when configuring and instituting effective governance in your AWS environment. Cloud rules function in all regions and fabrics of AWS, including AWS GovCloud, C2S, and SC2S, ensuring your accounts are well-governed everywhere in AWS.

Cloud rules are vital in a true end-to-end automated account provisioning process. Kion can apply them to accounts as they are vended, meaning new accounts are created and fully configured without added manual intervention. This drastically reduces the time from a new AWS account request to when the requester can use it.

An example of the many cloud rules that can be created inside of Kion.

Identity Federation

The best way to manage human identities is by relying on a centralized identity provider. This makes managing access across multiple applications and services easier because you are creating, managing, and revoking access from a single location. One of the most frequently encountered examples of this practice is if someone leaves your organization. You can revoke access for all applications and services (including AWS) from one location. This reduces the need for multiple credentials and provides an opportunity to integrate with existing human resources processes.

Kion supports several identity providers like Azure Active Directory, Okta, OneLogin, PingFederate, Google, and more. Kion can automatically add users to user groups in Kion based on SAML assertions to dynamically determine user permissions.

Kion’s login screen with multiple identity provider options.

You can manually assign SAML users into Kion user groups like you can do with any other users in the Kion platform. Still, usually, there has already been some effort inside of the identity provider that you would like to take advantage of inside of Kion. Because Kion allows users to log in using a SAML provider, it is easy to map SAML users to Kion user groups automatically. This ensures SAML users have the proper permissions inside of Kion without assigning them manually. They will also be removed from these groups as they are removed from the group in your SAML provider.

Cloud Access Management

One of the problematic manual processes in a multi-account AWS environment is cloud access management. Configuring permutations and exceptions to permissions and access for human and machine entities inside AWS is complicated and time-consuming. It also has a large amount of risk because misconfigurations are common when large amounts of complex tasks are performed manually.

To make a large, multi-account AWS environment operationally feasible and secure, there needs to be a mechanism to aggregate and automate the regular changes and exceptions needed for permissions and access.

This is precisely the purpose of Cloud Access Roles (CARs). Cloud Access Roles are the powerful, easy-to-use vehicle for granting users and accounts the right type and level of access to the cloud service providers to accomplish their work.

Kion uses a hierarchical structure that includes the inheritance of many different roles, permissions, and objects for subsidiary organizational units (OUs) and projects inside Kion. Leveraging this capability, you can define CARs inside higher-level OUs to have the CAR inherited and propagated to subsidiary OUs and projects, thus allowing you to quickly disseminate and manage needed access across the entire organization.

Cloud Access Roles allow for the easy dissemination and management of cloud access.

Account Provisioning and Configuration Automation

Kion makes it easy to organize and grow your multi-account strategy for your cloud environment and implement best practices recommended by the cloud service providers, such as the AWS Well-Architected Framework. Kion makes it easy to vend as many new accounts as you need, whether that be one or many.

Kion’s process of adding existing AWS accounts or creating new AWS accounts allows you to take advantage of all the other features mentioned, including cloud access roles, cloud rules, and inheritance from the organizational chart to automatically create and configure your AWS accounts to exact specifications with minimal manual intervention.

Kion can create one or many AWS accounts that are automatically configured to your specifications.

These features have enabled our customers, like Indeed, to realize a 10X reduction in provisioning time for new AWS accounts. This opens new doors to what is possible with AWS because cloud platform teams no longer need to spend time on developing and maintaining in-house tools and performing manual tasks and processes. This also mitigates a substantial amount of risk and operational overhead, allowing their AWS environments to scale to previously impossible sizes.

If you would like to see why Kion is the best way to establish and scale a well-governed, multi-account AWS environment and unlock the full potential of AWS for you, please request a demo here.

About the Author

Austin Fuller

Austin has nearly a decade of experience in enterprise software and cybersecurity and is an AWS-certified cloud practitioner.

Start your cloud operations journey.

Request a demo today,