Structure public cloud accounts for optimal resource tracking

As enterprises move to public IaaS or broaden their existing deployments, cloud account management gets tricky. Follow this example to find the structure that works best for you.

After a move to the cloud, many organizations struggle to set up a solid account structure and prevent account sprawl.

Here's a look at what, exactly, a cloud account is, the challenges it presents and how multi-cloud adoption can magnify those challenges.

Accounts in the public cloud

Cloud accounts serve as a way for a public cloud provider to identify the people, workloads and systems that use its service. For enterprises, these accounts are necessary to access the provider's resources.

But organizations don't usually put a lot of thought into choosing an account structure for public cloud. And as these organizations move from just occasional use of the public cloud to having it represent almost 100% of their IT system infrastructure, this causes trouble.

For example, let's say Company XYZ became an AWS customer in 2014 and set up two different cloud accounts: one for its manufacturing department and one for HR. Corporate IT runs both. In 2015, Company XYZ onboarded its accounting, marketing and sales departments onto its AWS deployment and provided those groups with their own AWS accounts as well.

Since 2015, the IT team migrated over 500 workloads from all departments to AWS, placing each under its respective department's account. While this one-to-one model for departments and AWS accounts seemed to work in 2014, Company XYZ now needs data on specific cloud usage by department, subgroup and individual user. Moreover, it needs to assign different resources to different accounts to track and optimize public cloud costs.

In 2017, Company XYZ also added Microsoft Azure to its cloud infrastructure mix and followed the same account management procedures it set in 2015.

By 2018, the company now needs to untangle a mess of accounts that span AWS and Azure. So, moving forward, how can it manage its cloud accounts more effectively and cost-efficiently?

First, it's important to note that there is no perfect account management approach. While there are tools to assist you, you need to decide what's best for your organization. In the example above, Company XYZ underengineered its cloud account structure, failing to realize that, in the future, it would have different requirements and need to break down that structure to provide more demarcation of its organization's AWS usage. Compared to its one-to-one model, a more granular or fine-grained account structure would provide the company with better resource and cost tracking.

Both AWS and Azure provide flexible approaches to cloud account setup, enabling enterprises to find the structure that works best for them. However, don't change structures too frequently, as it can introduce confusion and lead to mistakes, such as security misconfigurations that can cause accidental exposures.

Manage cloud accounts

There are some emerging best practices for cloud account management that both cloud providers and industry experts recommend. First, organize your account structure by departments -- as Company XYZ did in the example above -- not by users' email addresses. Because email addresses are associated with specific people, if somebody leaves your company, it would disrupt the account structure.

Company XYZ also needed a way to create subcategories under the department accounts. AWS accounts, as one example, enable you to use organizational units to create hierarchical and logical groupings. This means you can better and more granularly manage cloud accounts based on specific users, suborganizations or special projects. You can perform chargebacks and showbacks as well and allocate budget to specific categories of workgroups.

Resource tagging is also important. As part of a cloud migration, create a consistent approach as to how your company categorizes resources and how you assign those resources to users. You'll need to enforce compliance for your tagging approach on an ongoing basis, using either manual verification or cloud-native automation from your provider.

Finally, make sure you use cloud-native APIs to apply a baseline set of configurations as you create new accounts. Again, monitor for compliance after you establish those configurations, like you would for tagging.

Multi-cloud account management

In multi-cloud computing, there are a few options for account management. For example, you could use the native account management system on each respective cloud or use a third-party account and cost management tool, such as Cloud Cruiser or Zylo, to collect and analyze cost data from each account in each cloud platform. These third-party tools provide all that information in a single location, using a common interface that spans all accounts and all clouds.

Next Steps

AWS Control Tower aims to simplify multi-account management

Dig Deeper on Cloud infrastructure design and management

Data Center