Managing and securing multiple AWS accounts gets complex. superwerker is a free and open-source solution to automate the setup and management of your multi-account AWS environments. Based on our experiences at superluminar, we teamed up with kreuzwerker from Berlin to bundle prescriptive best practices from multiple years of cloud consulting and created superwerker.
As always, AWS provides the building blocks for modern cloud infrastructure, and you need to come up with a plan to use them. With using superwerker, you can start right ahead with a well-architected AWS foundation to run your workloads with AWS:
- AWS Control Tower as a well-architected baseline
- AWS Single Sign-On for a future-proof multi-account access
- Amazon GuardDuty to automate detection of possible threats
- AWS Security Hub to establish security standards
- AWS Backup for automated backups
- Automated budget alarms for cost control
- Service Control Policies to protect your infrastructure
- AWS Systems Manager integration
When creating the superwerker CloudFormation Stack, you need to provide a domain name and subdomain. This is used to configure a Route53 Hosted Zone in your AWS account. The subdomain is used to automatically handle incoming emails for common AWS notifications and can be used when creating new AWS accounts as well.
After configuring the domain, for example
yourcompany.com and a subdomain like
aws, you can create the CloudFormation Stack. During the stack creation process, an AWS CloudWatch Dashboard is created to display the installation status. This living documentation shows you the assigned name servers you need to configure in your DNS configuration for the provided domain:
The superwerker will installation process wait until you have configured your DNS settings correctly. Afterwards, CloudFormation begins to configure the included AWS services and features.
Based on AWS Control Tower, superwerker uses AWS Single Sign-On to manage access to AWS accounts. Together with AWS Organizations and the usage of multiple AWS accounts to distribute workloads and application environments, this forms the very baseline for a secured multi-account AWS environment.
AWS Single Sign-On
When done with installation, head over to AWS Single Sign-On. Create a new user account, so you can stop using the root account for your AWS management account. To use the account for administrator actions, assign it to the
AWSControlTowerAdmins user group.
AWS Control Tower
You can create new AWS accounts using AWS Control Tower. For new accounts, access the Account Factory and provide the needed information.
For every new AWS account, you need to provide references to an AWS Single Sign-On user. If the email address is not already registered, a new SSO account is created for the account.
Using AWS Organizations, Control Tower; and custom Organization Units, you can group and organize your AWS accounts. Per default, Control Tower configures a
core Organization Unit for the
audit AWS accounts.
You should come up with a structure of custom Organization Units to manage your AWS accounts. For example, create an Organization Unit for every application in your organization and create separate AWS accounts for every application environment. With this approach, you can easily structure your growing pool of AWS accounts in a well-architected multi-accounts AWS environment.