Opsitron manages infrastructure across a multi-account AWS Organization, following AWS best practices for account separation and security.
Account Types
| Account | Purpose | Example |
|---|---|---|
| Management | AWS Organization root, billing, Identity Center | acme-management |
| Network | Transit Gateway, VPCs, DNS zones, Network Firewall | acme-network |
| SharedServices | ECR repositories, artifact buckets, shared tooling | acme-shared-services |
| Workload | Application environments (dev, stage, prod) | acme-dev, acme-prod |
| Security | GuardDuty, Security Hub, audit logs | acme-security |
| Log Archive | Centralized CloudTrail and VPC flow logs | acme-log-archive |
Landing Zone Accelerator (LZA)
For clients with AWS Organizations, Opsitron integrates with AWS Landing Zone Accelerator to provision and configure accounts:
- Account vending — new accounts created via configuration, not console clicks
- Security baselines — GuardDuty, Security Hub, Config Rules applied automatically
- Network architecture — Hub-and-spoke VPC topology with optional inspection, endpoints, and ingress VPCs
- Service Control Policies — organization-wide guardrails preventing dangerous actions
Network Profiles
Opsitron manages LZA network configuration through network profiles — cost tiers that match your needs:
| Profile | Monthly Cost | What’s Included |
|---|---|---|
| Minimal | ~$108 | Egress VPC with single NAT Gateway |
| Standard | ~$200-400 | + Central endpoints, HA NAT, ingress VPC |
| Enterprise | ~$800+ | + Network Firewall, inspection VPC |
Network profiles can be adjusted at any time through the Opsitron portal. Changes are applied via LZA’s CodePipeline.
Cross-Account Access
Opsitron uses cross-account IAM roles for all operations:
- Agent Role (read-only) — used by AI agents to inspect infrastructure
- Deployment Role — used by GitHub Actions for terraform plan/apply (via OIDC federation)
- Admin Role — used only for emergencies, requires separate credentials
No long-lived credentials are stored. GitHub Actions authenticates via OIDC, and the Opsitron platform uses STS AssumeRole for cross-account access.
Security Controls
- SCP Guardrails — prevent deletion of security resources, enforce encryption, restrict regions
- VPC Flow Logs — all network traffic logged to centralized S3
- CloudTrail — API call logging across all accounts
- Security Hub — automated security findings with remediation tracking
- GuardDuty — threat detection across all accounts