Setup a secure & compliant multi-account AWS environment based on best practices

Auto policy management (Guardrails), violations & remediation, compliance dashboard.

Account Factory using Service Catalog to provision new accounts

Guardrails to detect and remediate policy violations with ongoing governance

Mandatory: auto created by control tower

Strongly recommended - based on AWS best practices

Preventive - using SCP’s - block action

Detective - use config to verify compliance (MFA enabled ? )

Elective - enterprise use (disallow delete action without MFA in S3)

Resource Access Manager (RAM)

Enables you to share specified AWS resources that you own with other AWS accounts.

To enable trusted access with AWS Organizations:

1. From the AWS RAM CLI, use the enable-sharing-with-aws-organizations command.
2. Name of the IAM service-linked role that can be created in accounts when trusted access is enabled: *AWSResourceAccessManagerServiceRolePolicy*.