What is an AWS Account?

An AWS account refers to a customer's unique and isolated environment within the AWS cloud infrastructure. When you wish to sign up for AWS services, you must first create an AWS account that serves as your entry point to use, manage, and pay for various AWS resources and services.

‍

What is an Account Vending Machine?

AWS has long touted the multi-account strategy as a best practice for separating cloud workloads from a workload, data, cost, and ownership perspective. The challenge many Cloud Teams face when following the multi-account strategy is how to create new AWS accounts quickly and at-scale while ensuring company standards, policies, and guardrails are met in a reliable manner before workload resources are deployed.

‍

What's included in a Vended Account?

AWS Best Practices strongly recommend services that need to be enabled regionally and globally such as CloudTrail and Config. The same pattern rings true for services used to support other pillars: Cost Optimization (AWS Compute Optimizer), Reliability (AWS Data Lifecycle Manager), and more.

‍

How's it done?

Most teams prefer to use Infrastructure-as-Code (IaC) such as Cloudformation and Terraform, but there are challenges associated with each such as state management, proprietary syntax, unsupported resources/sub-resources ... all of which can bring more headaches than they are worth. At this point, many teams find themselves doing half the setup with IaC and the other half - manually.

‍

How's it done in E1?

A baseline AWS Account Vending Machine is available on AstroHub for free. Link to AstroHub

Users can build off of this existing solution, or build their own organically from scratch. Another example is adding AWS Identity Center (AWS-SSO) permission set associations into new accounts, guaranteeing required IAM Roles are in-place for audit, operations, and other business teams.

Building in E1 is done using simple Python - and the methodology still follows best practice of IaC. Using the Boto3 SDK (managed and supported by AWS) is completely free to use, and more importantly is supported by AWS Technical Support if you need help. The list of what resources and methods are supported in Boto3 is vastly more expansive compared to external services like Terraform, and you aren't forced to learn a proprietary syntax which is not applicable outside their platform.