Managed Service Providers (MSP) face the challenging task of managing diverse IT environments for multiple clients, balancing everything from monitoring and security to cloud support. To be successful in this competitive landscape, MSPs must adopt scalable, efficient strategies that simplify operations while driving down costs. By leveraging AWS’ robust suite of tools and services, MSPs are empowered to streamline management, enhance security, and optimise resources, and effectively maximise ROI.
AWS Organisations is the first service in the AWS MSP toolkit and is designed to help efficiently manage and govern multiple AWS accounts. It enables the consolidation of billing into one comprehensive invoice, simplifying financial oversight and enhancing cost management activity. Beyond billing, AWS Organisations integrates seamlessly with a variety of AWS services, including AWS Identity Center, AWS Security Hub, and AWS CloudTrail. These integrations enable organisations to strengthen security, streamline user access, and improve cloud governance. By leveraging AWS Organisations, MSPs can centralise management activities, to enhance operational efficiency by reducing administrative overheads, mitigate risks, and ultimately drive better business outcomes for their customers.
The benefits of AWS Organisation for an MSP
As mentioned, AWS Organisations provide a multitude of benefits to MSPs, enabled by the integrations and features unlocked by the service. In my experience, amongst the many features and benefits afforded by the service, I have noticed there are two features that have consistently proven to provide the greatest returns for an MSP in terms of time and cost optimisation:
Managing user access across multiple AWS accounts can be challenging. A common approach is to create individual users in each account. For example, if a user needs access to all accounts, the administrator must log into each one to set up users, permissions, and share credentials. This could mean managing hundreds of credential sets in larger setups.
A more efficient solution is AWS Identity Center. This service acts as a centralised login portal, enabling access to multiple accounts within the AWS Organisation. Once configured, administrators can create user groups and permission sets to control access based on group membership. Each user receives a single set of login credentials, simplifying management and off-boarding, as changes only require updates to group memberships or user deletions within Identity Center.
AWS Savings Plans offer flexible pricing models that can lead to significant cost savings in exchange for a commitment to use specific resources over a one- or three-year term. There are two main types of Savings Plans:
For MSPs, Savings Plans can significantly enhance margins or enable cost savings to be passed on to customers. Managing multiple customers under the same AWS Organisation maximises the pool of compute resources, increasing opportunities for applying Savings Plans. Since MSPs may not control the types of computes used or the expected usage timeframe, purchasing Compute Savings Plans for their flexibility is advisable. It’s also recommended to acquire them in small increments monthly, and review the coverage of the accumulated Savings Plans every month to ensure it aligns with forecasted compute consumption.
However, if a customer prefers to manage Savings Plans for their own accounts, creating a separate AWS Organisation (as describe in the Customer Managed Structure below) for that customer may be more efficient.
AWS Organisation Structures
To fully leverage AWS Organisations, structuring your organisation to align with business objectives and customer requirements is crucial. As an MSP, there are two primary approaches for setting up AWS Organisations:
1. MSP Partner Managed StructureIn a Partner Managed Structure, the management account is owned and controlled by the MSP partner or distributor. This account is accessible only by the partner, whilst customers do not have access. It is dedicated to overseeing billing and managing the AWS Organization without running any workloads.
Customer accounts are linked accounts within the AWS Organization, managed either by the partner or the customer. Each customer may have one or more AWS accounts based on their specific needs, such as maintaining separate accounts for non-production and production environments as depicted in the above diagram.
As the number of customer accounts grows, Organisational Units (OUs) can be utilised to group related accounts for better organisation. This setup allows for the implementation of custom management policies (Service Control Policies) and facilitates resource sharing between related accounts using AWS Resource Access Manager.
Additional Note: If you have customers in both the Public Sector and Commercial Sector, consider creating separate AWS Organisations for each. This separation provides clear boundaries for different security frameworks to be applied to meet different levels of security requirements, and additionally enables the calculation and tracking against sector-based business metrics.
2. Customer Managed StructureIn a Customer Managed Structure, customers seek a degree of control over capabilities typically reserved for the management account, such as AWS Organisations features, credit sharing, and third-party integrations. This approach is particularly beneficial as a customer's size and complexity grow, necessitating multiple accounts for various business processes—such as Security, PCI compliance, Development, and Finance.
In this scenario, while the partner retains ownership of the management account, access can be granted to the customer through AWS Identity Center or even through integrations with an external IdP such as the customer's own Active Directory. The linked accounts can be owned by either the customer or the partner, but all accounts within the Organisation are managed by the MSP on behalf of the single customer.
Conclusion
A well-architected account strategy empowers MSPs to scale effectively and enhance return on investment (ROI). The structures outlined in this article serve as guidelines; however, it is crucial for MSPs to assess both the current and future needs of their customers to determine the most suitable setup.
At NEXTGEN, we have a team of AWS Partner Development Managers, Cloud Architects, and Cloud Operation experts to help guide your business towards success in the cloud. As an AWS distributor, our role is to work closely with your business, to acutely understand what makes your business tick, and provide the commercial and technical support to accelerate towards your business goals. This could include offloading billing processes to NEXTGEN, guidance on how to leverage lucrative AWS funding programs, and unlocking margin benefits to help grow an annuity business, just to name a few.
If you have any questions or are interested to hear more on the topics discussed, please don’t hesitate to get in contact with our friendly AWS team (AWS@nextgen.group), and we will be able to guide you on the best approach for your business needs.
Resources
https://aws.amazon.com/organizations/getting-started/best-practices/
https://aws.amazon.com/savingsplans/compute-pricing/