「1つの AWS アカウントで開発も本番もやっている会社をまだ見かける。それは火事場と寝室が同じ部屋にあるようなものだ。マルチアカウント戦略は、クラウドネイティブ組織の必須条件だよ」と佐藤CTOが警告した。

推定読了時間: 40分

AWS Organizations によるマルチアカウント

アカウント構成パターン

graph TD
    Root["Management Account
ルート"] --> Sec["Security OU"]
    Root --> Infra["Infrastructure OU"]
    Root --> WL["Workloads OU"]
    Root --> SB["Sandbox OU"]

    Sec --> Audit["Audit Account
CloudTrail, Config 集約"]
    Sec --> Log["Log Archive Account
ログ集約"]

    Infra --> NetHub["Network Hub Account
Transit Gateway, DNS"]
    Infra --> Shared["Shared Services Account
ECR, CI/CD"]

    WL --> DevOU["Dev OU"]
    WL --> StgOU["Staging OU"]
    WL --> PrdOU["Prod OU"]

    DevOU --> TeamA["TeamA-Dev Account"]
    DevOU --> TeamB["TeamB-Dev Account"]
    StgOU --> StgAcc["Staging Account"]
    PrdOU --> PrdAcc["Prod Account"]
    PrdOU --> PrdDR["Prod-DR Account"]

    SB --> Exp1["Experiment-1 Account"]
    SB --> Exp2["Experiment-2 Account"]

    style Root fill:#1e293b,stroke:#475569,color:#f8fafc
    style Sec fill:#fee2e2,stroke:#dc2626,color:#991b1b
    style Infra fill:#dbeafe,stroke:#2563eb,stroke-width:2px,color:#1e40af
    style WL fill:#d1fae5,stroke:#059669,color:#065f46
    style SB fill:#fef3c7,stroke:#d97706,stroke-width:2px,color:#92400e
    style DevOU fill:#d1fae5,stroke:#059669,color:#065f46
    style StgOU fill:#d1fae5,stroke:#059669,color:#065f46
    style PrdOU fill:#d1fae5,stroke:#059669,color:#065f46

アカウント分離の原則

Landing Zone の設計

AWS Control Tower

graph TD
    CT["Control Tower がセットアップするもの"]

    CT --> Mgmt["Management Account"]
    CT --> AuditAcc["Audit Account"]
    CT --> LogAcc["Log Archive Account"]

    Mgmt --> Org["AWS Organizations"]
    Mgmt --> SSO["AWS SSO
IAM Identity Center"]
    Mgmt --> SC["Service Catalog"]
    Mgmt --> AF["Account Factory"]

    AuditAcc --> Cfg["AWS Config
集約ルール"]
    AuditAcc --> Trail["CloudTrail
組織トレイル"]
    AuditAcc --> Guard["Guardrails
予防/検出"]

    LogAcc --> S3CT["S3
CloudTrail ログ"]
    LogAcc --> S3Cfg["S3
Config ログ"]
    LogAcc --> S3VPC["S3
VPC フローログ"]

    style CT fill:#1e293b,stroke:#475569,color:#f8fafc
    style Mgmt fill:#dbeafe,stroke:#2563eb,stroke-width:2px,color:#1e40af
    style AuditAcc fill:#fee2e2,stroke:#dc2626,color:#991b1b
    style LogAcc fill:#fef3c7,stroke:#d97706,stroke-width:2px,color:#92400e

Guardrails（ガードレール）

// SCP: ap-northeast-1 と us-east-1 以外のリージョンでのリソース作成を禁止
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyNonApprovedRegions",
      "Effect": "Deny",
      "NotAction": [
        "iam:*",
        "organizations:*",
        "sts:*",
        "support:*",
        "budgets:*"
      ],
      "Resource": "*",
      "Condition": {
        "StringNotEquals": {
          "aws:RequestedRegion": [
            "ap-northeast-1",
            "us-east-1"
          ]
        }
      }
    }
  ]
}

// SCP: root ユーザーの利用を禁止
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyRootUser",
      "Effect": "Deny",
      "Action": "*",
      "Resource": "*",
      "Condition": {
        "StringLike": {
          "aws:PrincipalArn": "arn:aws:iam::*:root"
        }
      }
    }
  ]
}

環境プロモーション戦略

GitOps による環境プロモーション

graph TD
    A["feature branch"] -->|PR| B["main branch"]
    B -->|"自動デプロイ"| C["Dev Account"]
    C -->|"テスト通過"| D["staging branch"]
    D -->|"自動デプロイ"| E["Staging Account"]
    E -->|"QA承認 + 負荷テスト"| F["release branch"]
    F -->|"承認後デプロイ"| G["Prod Account"]

    classDef branch fill:#9b59b6,stroke:#8e44ad,color:#fff
    classDef env fill:#3498db,stroke:#2980b9,color:#fff
    class A,B,D,F branch
    class C,E,G env

Terraform による環境プロモーション

# environments/dev/main.tf
module "app" {
  source = "../../modules/app"

  environment    = "dev"
  instance_type  = "t3.micro"
  desired_count  = 1
  db_instance    = "db.t3.micro"
  multi_az       = false
  enable_waf     = false

  providers = {
    aws = aws.dev
  }
}

# environments/prod/main.tf
module "app" {
  source = "../../modules/app"

  environment    = "prod"
  instance_type  = "m6i.large"
  desired_count  = 4
  db_instance    = "db.r6g.xlarge"
  multi_az       = true
  enable_waf     = true

  providers = {
    aws = aws.prod
  }
}

クロスアカウント IAM ロール

# CI/CD アカウントから本番アカウントへのデプロイ用ロール
resource "aws_iam_role" "deploy_role" {
  provider = aws.prod
  name     = "cicd-deploy-role"

  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Effect = "Allow"
        Principal = {
          AWS = "arn:aws:iam::${var.cicd_account_id}:role/github-actions-role"
        }
        Action = "sts:AssumeRole"
        Condition = {
          StringEquals = {
            "sts:ExternalId" = var.external_id
          }
        }
      }
    ]
  })
}

resource "aws_iam_role_policy" "deploy_policy" {
  provider = aws.prod
  role     = aws_iam_role.deploy_role.id

  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Effect = "Allow"
        Action = [
          "ecs:UpdateService",
          "ecs:DescribeServices",
          "ecs:RegisterTaskDefinition",
          "ecr:GetAuthorizationToken",
          "ecr:BatchGetImage"
        ]
        Resource = "*"
      }
    ]
  })
}

GitOps for Infrastructure

ArgoCD + Terraform の連携

# ArgoCD ApplicationSet で環境ごとに Application を自動生成
apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
  name: infrastructure
  namespace: argocd
spec:
  generators:
    - list:
        elements:
          - environment: dev
            cluster: dev-cluster
            account: "111111111111"
          - environment: staging
            cluster: staging-cluster
            account: "222222222222"
          - environment: prod
            cluster: prod-cluster
            account: "333333333333"
  template:
    metadata:
      name: "infra-{{environment}}"
    spec:
      project: infrastructure
      source:
        repoURL: https://github.com/myorg/k8s-manifests.git
        targetRevision: main
        path: "infrastructure/overlays/{{environment}}"
      destination:
        server: "https://{{cluster}}.eks.amazonaws.com"
        namespace: kube-system
      syncPolicy:
        automated:
          prune: true
          selfHeal: true

Atlantis による Terraform PR ワークフロー

# atlantis.yaml
version: 3
projects:
  - name: networking-prod
    dir: terraform/environments/prod/networking
    workflow: prod
    autoplan:
      when_modified:
        - "*.tf"
        - "../../modules/networking/**"

  - name: compute-prod
    dir: terraform/environments/prod/compute
    workflow: prod
    autoplan:
      when_modified:
        - "*.tf"
        - "../../modules/compute/**"

workflows:
  prod:
    plan:
      steps:
        - init
        - plan:
            extra_args: ["-var-file", "prod.tfvars"]
    apply:
      steps:
        - apply
    # prod は手動 apply のみ（atlantis apply コメントで実行）

PR での Atlantis ワークフロー:

1. PR 作成 → Atlantis が自動で `terraform plan`
2. Plan 結果が PR コメントに表示
3. レビュー・承認
4. `atlantis apply` コメントで適用
5. Apply 結果が PR コメントに表示
6. PR マージ

ネットワーク設計（マルチアカウント）

graph TD
    subgraph Hub["Network Hub Account"]
        TGW["Transit Gateway"]
        R53["Route 53 Private Hosted Zone<br/>*.internal.myorg.com"]
    end

    TGW --> SS["VPC: Shared Services<br/>(10.0.0.0/16)"]
    TGW --> DEV["VPC: Dev<br/>(10.1.0.0/16)"]
    TGW --> STG["VPC: Staging<br/>(10.2.0.0/16)"]
    TGW --> PRD["VPC: Prod<br/>(10.3.0.0/16)"]
    TGW --> ON["VPN/Direct Connect<br/>→ On-premises"]

    classDef hub fill:#2c3e50,stroke:#1a252f,color:#fff
    classDef vpc fill:#3498db,stroke:#2980b9,color:#fff
    classDef onprem fill:#e67e22,stroke:#d35400,color:#fff
    class TGW,R53 hub
    class SS,DEV,STG,PRD vpc
    class ON onprem

まとめ

チェックリスト

• マルチアカウント構成の設計原則を説明できる
• AWS Control Tower / Landing Zone の構成要素を理解している
• SCP でガードレールを設定できる
• 環境プロモーション戦略を設計できる
• クロスアカウント IAM ロールを設計できる

次のステップへ

Step 4 の演習とクイズで、IaC の実践力を確認しましょう。