AWS has been innovating constantly and those like me who have been following closely for the past six years have seen AWS’s shift towards catering to larger enterprises. Earlier all the services were standalone, in the sense restricted to an account. With coming of AWS Organizations this changed. AWS Organizations enabled bringing all accounts of an organization under a single umbrella and applying consistent policies across all accounts. This also enabled a single point for billing. Large organizations with multiple sub units benefit from this as they have better control over compliance and better understanding of the costs involved.
From a training perspective, what I have notice is that everything is still a single account based. The training we design and deliver are single account based most of the time. I have incorporated multi account security using AWS Organizations in my AWS Security training but most other services are taught in a standalone mode. If you look at the Network Firewall that was released recently, you can install it across the organization.
Does that mean we must make AWS Organizations the focus in our training and let people know how certain services can be deployed across accounts? That is a tough question to answer because when we deal with an Enterprise we are dealing with multiple teams. Not every team is focused on the complete organization. They are focused only on their unit and hence they may not need to be trained on how to manage AWS Organizations.
What is important though is that all engineers get an understanding of AWS Organizations because they should not be surprised if some things don’t work even though they have explicitly allowed them to work. That could be because those services may have been blocked at the Organization level. How the Organization policy impacts a particular unit and what are those policies is something people at the unit level must understand.
The lab to work on AWS Organizations is going to be a bit tricky for the trainers, especially if you are providing your own labs. You need atleast two accounts and resources in both the accounts. Additionally if you looking at demonstrating various Organizational Units and sub Units, you need much more than two accounts.
Going forward it is important that everyone understands AWS Organizations and how we can control a complete organization and not just the individual account. For this, our own mentality must change from seeing an account as an independent entity but rather as a part of a larger organization. I am many large organizations are already doing it and smaller organizations will start doing it soon. As trainers we should seriously start looking at this and check how to educate our participants to look at Cloud not just from the department perspective but from an Organizational perspective as well.
This also means we have to understand other services of AWS like AWS Resource Access Manager (RAM) which allows accounts to share resources. You need to understand which resources can be shared and when they should be shared as opposed to when you want them to be dedicated to an account. Knowing AWS Organizations and RAM is going to be very important going forward, especially for those who are looking at Organization wide security and cost optimization.
Wishing all of you a Happy 2021. I know all of us are hoping 2021 will be kind to us.