Secure IAM on AWS with Multi-Account Strategy

TL;DR

This paper advocates for a multi-account strategy on AWS to enhance cloud security, especially for small organizations, by improving access control, reducing policy management complexity, and providing a practical deployment guide.

Contribution

It introduces a cost-effective multi-account approach for AWS, analyzes its security benefits, and offers deployment strategies and operational techniques for small organizations.

Findings

Multi-account strategy improves security over single accounts.

Automated deployment simplifies multi-account setup.

Techniques for policy auditing enhance operational security.

Abstract

Many recent IT companies use cloud services for deploying their products, mainly because of their convenience. As such, cloud assets have become a new attack surface, and the concept of cloud security has emerged. However, cloud security is not emphasized enough compared to on-premise security, resulting in many insecure cloud architectures. In particular, small organizations often don't have enough human resources to design a secure architecture, leaving them vulnerable to cloud security breaches. We suggest the multi-account strategy for securing the cloud architecture. This strategy cost-effectively improves security by separating assets and reducing management overheads on the cloud infrastructure. When implemented, it automatically provides access restriction within the boundary of an account and eliminates redundancies in policy management. Since access control is a critical objective for constructing secure architectures, this practical method successfully enhances security even in small companies. In this paper, we analyze the benefits of multi-accounts compared to single accounts and explain how to deploy multiple accounts effortlessly using the services provided by AWS. Then, we present possible design choices for multi-account structures with a concrete example. Finally, we illustrate two techniques for operational excellence on multi-account structures. We take an incremental approach to secure policy management with the principle of least privilege and introduce methods for auditing multiple accounts.