Excellent talk! Unfortunately, while it’s easy to create AWS accounts as resource containers in an automated way to support devops, closing and deleting AWS accounts is still a tedious manual process - both at the time of this video, and still now in 2021. None of the talks/videos/blogs/etc promoting multi-account strategies ever mention this major pain point. I feel sorry for anyone dealing with nightmare of account deletions after spinning up all of these recommended multi-account configurations. As a simple example, just set up a landing zone using Control Tower in a new account, and then immediately try to delete everything after testing. Now imagine doing that tedious manual process for hundreds of accounts or more. You can’t even programmatically close or delete accounts that were programmatically created via the account factory or vending machine, even though you’re using consolidated billing to pay for their resources. What a joke. Too bad. It’s a nice idea, but it’s a terrible devops experience.
Great talk. Though I do wish more AWS services would be architected with multi-account architecture in mind. Many things don't inherently allow the usage of a PrincipalOrgId or are messy across accounts (SSM).
AWS you need to have some kind of real "resource container" . Using the account for everything start to be lame. You are contradicting yourself "as simple as possible" and then you propose creating 5 security account each for one simple thing like e.g. log archive. It is time to move forward ;)
![AWS re:Invent 2019: [REPEAT 2] I didn’t know Amazon API Gateway did that (SVS212-R2)](/img/n.gif)
Excellent talk! Unfortunately, while it’s easy to create AWS accounts as resource containers in an automated way to support devops, closing and deleting AWS accounts is still a tedious manual process - both at the time of this video, and still now in 2021. None of the talks/videos/blogs/etc promoting multi-account strategies ever mention this major pain point. I feel sorry for anyone dealing with nightmare of account deletions after spinning up all of these recommended multi-account configurations. As a simple example, just set up a landing zone using Control Tower in a new account, and then immediately try to delete everything after testing. Now imagine doing that tedious manual process for hundreds of accounts or more. You can’t even programmatically close or delete accounts that were programmatically created via the account factory or vending machine, even though you’re using consolidated billing to pay for their resources. What a joke. Too bad. It’s a nice idea, but it’s a terrible devops experience.
This talk have gelled it well together the different construct in a greenfield AWS environment. Well done!
Great talk. Though I do wish more AWS services would be architected with multi-account architecture in mind. Many things don't inherently allow the usage of a PrincipalOrgId or are messy across accounts (SSM).
Slides: d1.awsstatic.com/events/reinvent/2019/REPEAT_2_Architecting_security_&_governance_across_your_landing_zone_SEC325-R2.pdf
AWS you need to have some kind of real "resource container" . Using the account for everything start to be lame. You are contradicting yourself "as simple as possible" and then you propose creating 5 security account each for one simple thing like e.g. log archive. It is time to move forward ;)
Are the slides available anywhere?
You just need real "Resource Group"s, not some crooked tag indexer that pretends to be as good as Azure's.