49 lines
2.4 KiB
Markdown
49 lines
2.4 KiB
Markdown
---
|
||
title: Multi-Account Deployment
|
||
type: concept
|
||
tags: [AWS, CloudOps, Infrastructure-as-Code, DevOps]
|
||
date: 2025-10-24
|
||
---
|
||
|
||
## Definition
|
||
Multi-Account Deployment(多账户部署)是指使用 AWS CloudFormation StackSets 或类似工具,跨多个 AWS 账户和区域自动化部署和管理基础设施的实践。AWS 推荐使用多账户策略来改善安全隔离、成本管理和运营治理。
|
||
|
||
## Core Properties
|
||
- **自动化**:通过 StackSets 自动向目标账户推送配置
|
||
- **一致性**:确保所有账户的配置保持一致
|
||
- **可扩展性**:新增账户自动纳入部署范围(auto-deployment)
|
||
- **治理**:通过 AWS Organizations OU 层次结构管理账户分组
|
||
|
||
## AWS Recommended Account Structure
|
||
- **Management Account**:管理账户,承载中心监控、billing、 Organizations 管理
|
||
- **Log Archive Account**:日志归档账户
|
||
- **Security Tooling Account**:安全工具账户
|
||
- **Workload Accounts**:工作负载账户,部署实际业务资源
|
||
|
||
## Key Mechanisms
|
||
- **AWS CloudFormation StackSets**:原生跨账户/跨区域部署服务
|
||
- **AWS Organizations**:账户组织和管理
|
||
- **Service Control Policies (SCPs)**:定义 OU 级别的权限边界
|
||
- **Trusted Access**:启用 StackSets 在成员账户中执行操作
|
||
- **Auto-Deployment**:新增账户自动部署预设 StackSet
|
||
|
||
## Related Concepts
|
||
- [[AWS CloudFormation StackSets]]:多账户部署的核心工具
|
||
- [[AWS Organizations]]:账户管理和分组
|
||
- [[StackSets Deployment Visibility]]:多账户部署的可观测性挑战和解决方案
|
||
- [[Cross-Account Monitoring]]:多账户部署需要跨账户监控支撑
|
||
- [[Centralized Logging]]:多账户场景是集中日志的主要驱动因素
|
||
- [[Landing Zone Architecture]]:AWS Landing Zone 架构定义了多账户最佳实践
|
||
- [[Infrastructure as Code]]:多账户部署是 IaC 的高级应用场景
|
||
|
||
## Operational Challenges
|
||
1. **监控盲区**:跨50+账户部署故障时,逐账户排查效率低下
|
||
2. **配置漂移**:手动配置导致账户间配置不一致
|
||
3. **权限管理**:跨账户 IAM 权限配置的复杂性
|
||
4. **成本追踪**:多账户成本归因和预算控制
|
||
|
||
## Solution Patterns
|
||
- [[Centralized Logging]]:集中存储所有账户的 CloudFormation 事件
|
||
- [[Cross-Account Monitoring]]:统一监控界面覆盖所有账户
|
||
- [[StackSets Deployment Visibility]]:CloudWatch Logs Insights 跨账户查询
|