AWS Multi-Account Strategy Design and Implementation

Laying A Solid Foundation Governing Visibility & Cost Management, Security & Compliance with Governance & Automation


In this course, you will gain the experience required to architect and implement a secure multi-account AWS environment based on AWS best practices. You will be exposed to design choices of different account structures to help provide proper cost allocation, agility, and security. Additionally, how to design a scalable AWS Identity and Access Management architecture and how to monitor, track and alert on user changes & events for compliance, change management and security governance.


  • Personalization based on insights gained from your answers to the pre-training questionnaire.

    • Personalized resource guide with applicable use-cases, real-world scenarios that closely relates to your companies' environment.

    • Personalized resource guide with a set of action items of things to implement or test in your AWS environment.

  • Opportunity to ask further questions after the 3-day session when the knowledge gained is most needed.

  • Learn by seeing and doing.

    • Operational production environment with a deployed application with all the relevant AWS tools and services pre-configured to help you observe and learn at production scale.

    • The environment provides the opportunity for experimentation based on discussion points and your company’s unique situations.

  • Simulated problems to challenge your understanding of the subject matter.

  • Training is driven by the problem you are trying to solve and not the technology being studied.

  • Interwoven collaborative discussion sessions.


  • How to implement a multi-account environment and the analysis, design, and implementation for

    • Separate Management, Operation, Billing, Log Archive, and Security Account

    • Account structures based on organizational, operational, and cost models - Business Unit (BU), Environment Lifecycle, Project-Based and Hybrid Account Structures

    • Account provisioning automation to standardize logging, security, network, etc. baselines.

    • Designing and implementing a scalable AWS Identity and Access Management architecture

  • How to implement Logging, Monitoring, Alert/Notification at scale utilizing native AWS services and tools and their integration with third-party solutions to facilitate security governance, compliance, change management, troubleshooting and responding to security incidents.


We recommend that attendees have the following prerequisites:

  • Good working knowledge of AWS core services, including services listed out in the course outline.

  • Familiarity with the Linux operating system and command line interface.

  • Working knowledge of distributed systems

  • Familiarity with general networking concepts

  • Requires a laptop to complete lab exercises – tablets are not appropriate.



  • General discussion on account management, security, identity & access management, change management, logging, monitoring, and alert/notification.

  • Account structure use case exploration and the decisions that went into picking one structure over the other.

  • AWS Organization and account management deep dive

  • Exploration of the relevant AWS services and tools focusing on best practices and FAQ.

    • AWS Managed Active Directory for AWS SSO integration, AWS Identity and Access Management(IAM)

    • Amazon VPC, Amazon S3, AWS Key Management Service, Amazon DynamoDB

    • AWS CloudTrail, AWS Config, AWS Config Rules, AWS Service Catalog, AWS Cost Management Tools

    • Amazon GuardDuty, Amazon Inspector, Amazon Macie, AWS Security Hub

    • Amazon CloudWatch alarms and events, AWS Lambda, Amazon Simple Notification Service(SNS)

  • Review relevant third party security and monitoring solutions and their integration points within an AWS environment.


  • Deep dive into essential Identity and Access Management concepts required to implement a Multi-Account strategy and implementation of a scalable AWS Identity and Access Management architecture.

    • IAM Roles, Cross-Account Roles, Federation, AWS Directory Service

  • Multi-account AWS account structure implementation by Business Unit (BU), Environment Lifecycle, Project and Hybrid.

  • Separate Management, Operation, Billing, Log Archive, and Security Account discussion and implementation.


  • Deep dive into Logging, Monitoring, Alert/Notification implementation at scale to facilitate security governance, compliance, change management, troubleshooting and responding to security incidents.

  • Centralized Log Archive Account discussion and implementation.

  • Evaluation of multi-account setups with AWS Landing Zone.

Date & Time - 3 days - June 24 to June 26, 2018 8:30 AM – 5:00 PM CDT

Location - 1515 Young Street Stone Room (7 Floor), Dallas, TX 75201

Class Size - 25