
AWS Control Tower - jeffbarr
https://aws.amazon.com/blogs/aws/aws-control-tower-set-up-govern-a-multi-account-aws-environment/
======
omeid2
AWS is pushing Organizations/Accounts as something like GCP's Projects and it
mostly works, cross account iam works pretty good, so does many other services
but sadly this is not reflected in the support subscriptions.

You want help with a problem in your staging account? pay for support, fair
enough. You want help with your production? oh sorry, you have to pay again.

~~~
marcinzm
>You want help with a problem in your staging account? pay for support, you
want help with your production? oh sorry, you have to pay again.

In a sense this is a good thing since support is percentage based and you may
want a higher level for support for production than staging.

~~~
omeid2
You should have the option to pay for the aggregate and get support across all
the accounts, it only makes sense, really.

~~~
dodobirdlord
If I recall correctly, that only happens at the Enterprise support tier.

~~~
scarface74
You pay a minimum of $100 per account for business support - 10% of your bill.

~~~
dragonwriter
Business support has pricing that drops as a percentage as your spend goes up,
like Enterprise, but does not allow you aggregate across accounts like
enterprise.

It's only 10% for the first $10K. 7% for the portion up to $80K, 5% for the
portion up to $250K, and 3% beyond that. (Enterprise has the same kind of %age
ranges but cutoffs of $150K/$500K/$1M and the bottom range doesn't really
matter because the hard minimum is $15K/mo.)

------
andrewstuart
I'd love it if at a glance I could see all of the AWS resources that I am
using that cost me money, across all the regions.

Right now I feel like I would have to poke into every menu option in every
region across the entire set of AWS services to find out exactly what I'm
using.

The cynic in me wonders if this is not a priority for AWS because they make so
much money from forgotten and hard to find resources that are being used and
paid for but essentially lost in the interface.

When I saw the new product name I thought "maybe this is it!"

~~~
iaresee
Does the billing dashboard not cover your needs? With their billing query UI
you can slice your billing data by region, service, etc.

~~~
derefr
The billing API tells you about resources that _have_ charged you, whereas I
think the parent comment is talking about resources that are either “active”
in some sense where they _will_ charge you at some point in the future for the
usage you’re accruing (but where this usage isn’t metered in a way visible to
the billing API until it “commits” somehow); or, worse, resources which are
“exposed” in some sense where they _could_ charge you if they received a
request, but happen to not have received any yet. (These resources are _very_
easy to lose track of.)

Another way to think of this question is “what is my current _exploitable
attack surface_ , against the ‘attack’ of causing AWS to charge me lots of
money?”

~~~
jjeaff
They do only show what you have been charged, but to my knowledge this is
update very regularly. It seems at least next day.

------
cbdumas
This looks like a public facing version of a tool that AWS uses internally,
which is great. Super easy tool to setup and govern AWS accounts, and also
access the accounts to which you have access. I always wondered why they
didn't sell it to their customers but I guess now they will!

------
thomasedwards
Just tried it on our master account:

> You tried to use an account that is a member of an organization in AWS
> Organizations. To set up your AWS Control Tower landing zone, use an account
> that is not a member of an organization.

Looks like it’s only feasible if you’re starting from scratch.

~~~
s14ve
Have you managed to get it working in the end? I've encountered the same
issue.

~~~
thomasedwards
No stopped trying – I’m not too worried as I have a Firefox Containers setup
to switch between all the accounts.

------
wayne_skylar
Sorry but I've never felt that Amazon is completely operating in good faith
with regards to allowing users to manage their costs. The proof of that is the
fact that they _still_ don't have a page where you can see the price of an ec2
instance alongside its stats. I've been wanting to see that for ten years and
they still haven't added it.

~~~
joemag
EC2 engineer here.

Pricing is definitely a hard topic, and we can do more to make it easier.
However, with regards to your second comment, are you looking for something
more than this page [1]

[1] [https://aws.amazon.com/ec2/pricing/on-
demand/](https://aws.amazon.com/ec2/pricing/on-demand/)

~~~
pwarner
Of course there is
[https://www.ec2instances.info/](https://www.ec2instances.info/) or if you are
into Azure then [https://azureprice.net/](https://azureprice.net/)

------
rukenshia
I love that AWS is starting to care more about providing these services. For
context, we have basically been building this for 2 years in our company
internally to provide hundreds of “compliant by default” accounts. Every
company seems to do it themselves.

What I personally find very frustrating is the lack of being able to migrate
any existing organisations into this. I’d love to get rid of some of our
account provisioning but this would basically mean starting over with a brand-
new AWS Organization which is impossible for us.

It still is quite a hassle to manage many accounts (and resources you need in
them) so I hope this service will sooner or later help us with this.

PS: if anyone is over at re:Inforce and wants to talk about anything AWS Orgs
& accounts, feel free to mail me (profile)!

~~~
joseph
I also worked on a team that built something similar, and I've seen it done in
other companies. With services like this, and others like Transit Gateway,
it's getting a lot easier to manage multiple accounts and VPCs. I haven't
tried AWS Control Tower yet, but I am hoping it gives easy visibility into all
the accounts in one place. With Amazon accounts, once you assume a role into
an account, you can't see other accounts without switching back into them.

This is one area where I think GCP got it right. By using organizations and
projects within one account instead of having parent and child accounts, it's
quite a bit easier to see what's going on. And a parent account has a very
different role from child accounts, so it makes sense to treat them as
separate things.

------
dvfjsdhgfv
Thank you AWS. In the meantime, if you could offer me just one basic setting
that users have been asking for years (hard limit on your spending), it would
be even better.

~~~
marcinzm
How would hard limits work? Do all your ec2 instances shut down? Do your s3
buckets and their data get deleted? Do you snapshots and EBS volumes get
deleted? There's no way to pause these things since they still costs AWS
money.

~~~
argd678
You don’t let people start up the service if it will exceed a cost quota. For
ec2 that should be easy since the cost ticks at a constant rate and can be
extrapolated in advance, but yeah other usage based services like s3 and
network traffic that won’t work.

~~~
cthalupa
>but yeah other usage based services like s3 and network traffic that won’t
work.

I think this is the major problem. It's conceptually easy to say 'Yeah no more
spinning up ec2 instances' or whatever, but the only way to deal with hitting
that cap for things like network traffic or storage services is just turning
off network access or deleting the files. I can't imagine many businesses are
going to go for "hey if you set a cap and you exceed it we fix it by deleting
your stuff and taking down network availability." \- that's going to be a
total nonstarter in so many situations! But that's what would be required to
actually set a spending cap on an account.

That sort of decision really needs to be made by a human as it's happening -
is the spike in usage legitimate? Is it your customers driving the demand? Is
it unwanted traffic? Is it an autoscaling group gone wrong? etc. etc. etc.

My suggestion is setting up CW billing alarms at several thresholds, to try
and stay ahead of this before it reaches that point, with paging on the
highest threshold where it's about at the point where you'd consider turning
things off. Then you should hopefully be able to take care of unexpected
expenses before they're problematic, but also ready to engage someone to make
the tough decisions instead of just automatically taking yourself down.

~~~
dvfjsdhgfv
> But that's what would be required to actually set a spending cap on an
> account.

Nevertheless, that's exactly what people have been asking for several years.
See this thread for example (and many others):
[https://forums.aws.amazon.com/thread.jspa?threadID=58127&sta...](https://forums.aws.amazon.com/thread.jspa?threadID=58127&start=50&tstart=0)

~~~
marcinzm
Not really, that thread is asking for a limit on S3 traffic serving (ie:
bandwidth used). That doesn't cap the account spend nor does it delete data
(and you will continue to be charged for data storage, requests, etc.).

The thread has a limited and reasonable request which is totally separate from
account spend limits.

