⏲️ The countdown has begun
It's exactly one month from AWS re:Invent
Here it is. The first issue of Unlimited Leave.
Why today? Well, it’s exactly one month from the annual AWS re:Invent conference.
I'll be here. Will you?
If so, you can find me in this unofficial re:Invent 2022 Slack Workspace.
Fire me a message.
In this issue
- 37signals cashes in their Cloud Chips
- AWS Cloud Foundation Team White-Paper
- Control Tower v3.0 pains
- Resource of the week: Leapp.Cloud
- The case for multi-org deployments
37signals cashes in their Cloud Chips
Last week, David wrote about how 37signals is packing up their two applications and bringing them back in-house. They are Leaving the cloud.
It’d be pretty silly to argue that they are missing something here. I’ve never been in a position to see the numbers and have to make that decision. But good on them.
He's not wrong. There's something a little unnerving about a few companies hosting the vast majority of the internet.
AWS Cloud Foundation Team White-Paper
Last month, the AWS Cloud Foundation team released a white paper that describes (at a pretty high level) a framework for the many decisions one must make when deciding to deploy a new AWS environment:
- account naming & organization
- what accounts should host your delegated services (IAM IC/SSO, CloudFormation StackSets, SSM, etc.
- network connectivity
- logging, tagging, and governance implementations
- workload isolation
- change management
- and more
It’s pretty much guaranteed that I will be sharing a deeper look at all of these items and will be providing my opinion about them and precommendations in future issues.
Control Tower v3.0 pains
In July the Control Tower team released v3.0 which introduced a few changes. Among other great changes, two changes have caused some profound issues in recent deployments.
While this update doc does shine some light on the potential issues and workarounds, I expect to see an update to both of these or at the very least, a well-documented way to address them.
Org Trail or No Trail
One of the main options was to allow Control Tower to deploy an Organizational multi-region CloudTrail instead of including a Control Tower managed Trail in every new account provisioned with Account Factory. Along with this option, you can opt-out of Control Tower managing any Trails altogether.
If you are just reading this and haven’t deployed yet, then I recommend opting out.
Because the Org Trail consumes your one free Trail per account and it is not accessible to attach CloudWatch LogGroups in order to monitor and alert on any of the metrics to close LOW CIS Benchmark Security Hub Checks.
Global IAM Resources in Config Recorder
Now when you deploy Control Tower, there is an option for AWS Config to only aggregate global resource information in your home region. This prevents being charged multiple times for single global resources. That's great.
The problem with this, based on my current findings, is if us-east-1 is not your home region, then the Security Hub checks for your global resources will show “No Data” in all other regions. This isn’t a major issue, but a frustrating one for sure.
I’m still testing and hope to report back with something better than disabling checks in other regions. Which is always an option.
Resource of the week: Leapp.Cloud
One of the most fascinating tools I've come across for accessing multiple AWS Organizations is Leapp. *Not a sponsor
When using Leapp.Cloud you can seamlessly switch your CLI Profile, authentication to the web console for any account in your list, and even start SSM Sessions in your accounts.
Once authenticated to an individual account via IAM users or to an entire Organizations Identity Center (formerly SSO), you can double-click your way into any AWS Account across any AWS Organization Permissions Set you have access to.
Give this a try. It’s the best one out there.
The case for multi-Org
I am currently working on getting back into writing blog posts regularly in support of this newsletter. One of the first posts I am working on focuses on the case of deploying multiple AWS Organizations to better support AWS architectural needs.
Pending the findings from the previously stated issues about Control Tower, the post should be out by AWS re:Invent.
I have a feeling this is where things are trending so I want this post available so I can say I told you so.
Help us grow
Do you know someone else that could benefit from this content?
Maybe they suck at AWS Architecture and you don't have the heart to tell them?
Forward them this email or tell them to subscribe 👇
It's not quite the same as sharing those wonderful family vacation photos, but they'll enjoy it a lot more.