Skip to main content

ADR-009 Use separate AWS accounts for data domains and products

Status

✅ Accepted

Context

The Analytical Platform will need to provide a secure location to store and share data to those who have been granted access. The use of a multi-account strategy will give the Analytical Platform a scalable storage architecture which adheres to the AWS Well-Architected Framework pillars on operational excellence, security, reliability, and cost optimisation.

Decision

We will use separate AWS accounts to isolate, secure, and govern data where needed. This may include scenarios where data is sensitive or where a particular domain has specific operational, compliance, or data governance requirements. AWS Lake Formation will be used to securely manage permissions and facilitate data sharing across these accounts, ensuring that authorised users and services have the appropriate level of access.

By allocating resources and datasets to distinct AWS accounts, we simplify cost attribution, reinforce security boundaries, and empower owners with greater control and for their datasets.

Proposal Consequences

General consequences

  • A shift in ownership and responsibility of cloud resources back to the teams that own the data
  • We will need to understand what account owners need outside of single sign on, and account bootstrap
  • Cost will be visible to owners and aligns with the Technology Code of Practice point 12, make your service sustainable
  • Align with NCSC cloud security guidance on separation between customers (in our case domains) to defend against another customer having e.g. malicious code execution
  • We will need to work with Modernisation Platform on improving our ability to dispense data accounts and ensure we do not impact their support
  • We will define Service Control Policies against AWS Organizations
  • We will need functionality for users to request access to data and for Data Owners to approve
  • We will be able to give teams access to a project or temporary accounts for research (this could include other managed analytical tooling e.g. SageMaker) which then can be securely closed down with all associated resources removed
  • Observability of accounts and data is simplified for account owners

Using separate AWS (Amazon Web Services) accounts for storing data will serve several purposes for MoJ, each contributing to improved governance, security, manageability, efficiency and enabling fine-grained control of access.

This page was last reviewed on 19 December 2024. It needs to be reviewed again on 19 June 2025 by the page owner #analytical-platform-notifications .