AWS Outposts is a fully managed service that extends AWS infrastructure, services, APIs, and tools to customer premises. By providing local access to AWS managed infrastructure, AWS Outposts enables customers to build and run applications on premises using the same programming interfaces as in AWS Regions, while using local compute and storage resources for lower latency and local data processing needs.
An Outpost is a pool of AWS compute and storage capacity deployed at a customer site. AWS operates, monitors, and manages this capacity as part of an AWS Region.
In many scenarios the AWS Outposts rack is shared across multiple application teams/stakeholders that use the rack to host their workloads and also consume services that are offered on the Outposts rack. In such deployments, an Outposts rack is shared to different AWS accounts under the same AWS Organization allowing effective use of the Outpost in a shared environment. These use-cases span various sectors including telecom, digital services, financial sector, and enterprise where organizations needed a solution to effectively manage shared Outpost resources. This Guidance provides a comprehensive solution for managing multi-account AWS Outposts deployments, enabling organizations to effectively share Outpost resources across multiple Consumer accounts while maintaining control and visibility over resource utilization.
This guidance aims to instruct and guide users on how to monitor account level resource utilization and enforce soft and hard limits on Outposts rack EC2 instances on member accounts that share the Outposts rack.
This guidance provides the following features:
The solutions uses two approaches to monitor the AWS Outposts rack.
-
The first one is defining Amazon CloudWatch alerts on relevant CloudWatch metrics. For example, we have a metric that shows Amazon Simple Storage Service (Amazon S3) usage on the Outpost per consumer account. An alert definition might then be “trigger when consumer A exceeds 10TiB usage”. This alert will create an event in the solution that we can use to start an intervention. It also use metrics and alerts to display a dashboard in CloudWatch detailing many aspects of consumer resource usage.
-
The second approach to monitoring is using AWS service events. One of the services emitting such events is Amazon Elastic Compute Cloud (Amazon EC2). Whenever an EC2 instance transitions into another state, an event like “Instance i-123456789 has gone into pending” is generated. The solution uses Amazon EventBridge to capture such events and route them from the consumer account into the owner account.
For customers looking into observability and monitoring insights both at the consolidated Outposts level and at individual AWS accounts level, this solution offers one unified dashboard to view aggregated metrics.
The solution takes two approaches to interventions that work hand-in-hand. First, we use AWS Identity and Access Management (IAM). The solution assumes that every consumer accesses their AWS account through a well- defined IAM role. That role must be made known to the solution, otherwise it will create a role in the consumer account.
-
An IAM based intervention then involves taking away relevant permissions from that role. For example, if too many EC2 instances have been launched, the permissions are altered such that no further instances can be launched for that specific consumer AWS account.
-
The second approach of this solution is deleting resources that are above the threshold. For example, when the solution detects that too many EC2 instances are running in a consumer account, the most recently launched ones will be terminated. The solution implements CloudWatch and IAM based monitoring and intervention for various services. Service Events with IAM and Termination is only implemented for EC2 on Outposts rack.
For customers looking to enforce quotas with soft and hard limits, the solution's web UI provides a mechanism of setting limits at both the consolidated outposts level and also to individual member AWS accounts that share the Outposts rack. This is really helpful in B2B/B2G use-cases where the Outpost owner might want to strictly enforce hard limits on EC2 instances for member accounts.
-
B2B/B2G Managed Services Provider A service provider deploys AWS Outposts racks in their data center to build and offer managed services to business and government customers. They create isolated environments for each client using AWS Resource Access Manager, implementing strict compliance and security controls required by government agencies. The provider offers services like dedicated environments, managed databases, and application hosting, billing customers based on resource consumption and agreed-upon SLAs. This approach allows the provider to cater to clients who need local data processing while leveraging AWS services.
-
Centralized IT Procurement An organization's central IT team procures and manages the Outposts infrastructure, then charges back their internal teams for usage. This approach allows for better resource utilization across the entire organization, centralized management of the hybrid cloud infrastructure, and more efficient cost allocation. The central IT team can implement governance policies, security standards, and monitoring solutions while allowing individual business units to leverage the power of Outposts for their specific needs. Charge-back is typically based on compute, storage, and network usage, often with different tiers of service and support.
-
Telecom Digital Services/Private Cloud A telecommunications provider leverages AWS Outposts as the foundation for their digital transformation and private cloud offerings. The Telco deploys Outposts across their regional data centers to support both internal digital services and customer-facing applications. The infrastructure is shared between multiple business units: the digital services team running consumer applications like video streaming platforms and smart home services, the enterprise solutions team providing private cloud and managed services to business customers. Resource allocation is carefully managed through AWS RAM to ensure proper isolation between customer workloads and internal systems.
-
Public Sector Organizations like universities, government research labs, and educational institutions deploy Outposts to be shared between different business units such as Administrative Services, Research Departments, and Academic Computing divisions. This shared infrastructure allows for local processing of sensitive data, compute reservations for research projects, and low-latency content delivery for online services. Resource allocation is managed based on institutional priorities, research grant requirements, and peak usage periods like enrollment seasons. Different departments can access dedicated compute resources while maintaining compliance with government regulations and privacy requirements, and research departments can process large datasets locally while adhering to grant-specific data residency requirements.
This section provides a reference implementation architecture diagram for the components deployed with this Guidance.
Figure 1: Multi Account Outposts Operations - Reference Architecture
- The guidance is integrated with AWS IAM Identity Center for authentication purposes. The web UI is hosted in the AWS Account of the AWS Outposts owner account and hosted API using AWS API Gateway, with AWS Web Application Firewall (WAF) for IP-based access control. The AWS Lambda API handler executes changes in the UI.
- AWS Outposts rack is shared with Consumer AWS account using AWS Resource Access Manager (RAM). Controlled resources on the Outposts rack such as Amazon EC2, Amazon EBS and Amazon S3 on Outposts are available.
- Alert thresholds are directly read from and written to the Amazon CloudWatch alert configuration. The solution uses the CloudWatch access role to view and read the alert definitions in the consumer account.
- The Event management system is based on AWS EventBridge and operates by routing AWS service notifications (for example: "an EC2 instance has started")
- This event invokes the ’Event Processing’ Lambda function and via the LookupRole and retrieves up-to-second accurate usage data from the Consumer account. The Lambda also reads all relevant alert settings from CloudWatch and makes a decision on whether an intervention should occur.
- The Event Processing Lambda then sends a message on the Amazon SNS Alert Topic to the ‘Intervention Handler’ Lambda function, which performs remedial actions as applicable.
- The CloudWatch alert-based system is triggered directly by CloudWatch when an alerting level is crossed.
| AWS Service | Role | Description |
|---|---|---|
| AWS EventBridge | Core service | Routes operational events and notifications for Outposts resources |
| AWS Lambda | Core service | Executes event processing and intervention handling for automated remediation |
| Amazon CloudWatch | Core service | Monitors resources and manages alert configurations for capacity management |
| AWS IAM Identity Center | Core service | Manages user authentication and access control for the web UI |
| Amazon SNS | Core service | Handles message delivery between Event Processing and Intervention Handler Lambda functions |
| AWS API Gateway | Supporting service | Hosts APIs and routes requests from web UI to Lambda handlers |
| AWS WAF | Supporting service | Provides IP-based access control for the web interface |
| AWS RAM | Supporting service | Enables resource sharing between owner and consumer accounts |
| IAM Roles | Supporting service | Manages cross-account permissions and access controls |
| Amazon S3 | Supporting service | Hosts web UI static content |
| Amazon EC2 on Outposts | Supporting service | Managed resource on Outposts rack |
| Amazon EBS on Outposts | Supporting service | Managed resource on Outposts rack |
| Amazon S3 on Outposts | Supporting service | Managed resource on Outposts rack |
You are responsible for the cost of the AWS services used while running this guidance. As of Augist 2025, the cost for running this guidance with the default settings in the US-WEST (Oregon) us-west-2 Region is approximately $98.50/month.
We recommend creating a budget through AWS Cost Explorer to help manage costs. Prices are subject to change. For full details, refer to the pricing webpage for each AWS service used in this guidance.
The following table provides a sample cost breakdown for deploying this guidance with the default parameters in the us-east-1 (N. Virginia) Region for one month. This estimate is based on the AWS Pricing Calculator output for the full deployment as per the guidance.
Note: The following cost table does not include the cost of using the AWS Outposts rack appliance. Customers will have to procure an Outpost rack in order to deploy this solution.
| AWS service | Dimensions | Cost, month [USD] |
|---|---|---|
| AWS Lambda | Event Processing & Intervention Handler: 100,000 invocations/month, 512MB memory, 500ms avg duration | 20.00 |
| Amazon CloudWatch | 25 custom metrics, log storage 10GB, API requests | 30.00 |
| AWS API Gateway | 1M API calls/month, 1 API, data transfer 50GB | 35.00 |
| Amazon SNS | 100,000 messages/month, standard topic | 0.50 |
| AWS EventBridge | 1M custom events/month, 1 event bus | 1.00 |
| AWS WAF | 1 web ACL, 2 rules, 1M requests/month | 7.00 |
| Amazon S3 | Web UI static content: 1GB storage, 100K requests | 0.50 |
| AWS IAM Identity Center | User authentication and management | free |
| AWS Resource Access Manager | Resource sharing between accounts | free |
| Amazon Virtual Private Cloud (VPC) | 1 VPC, 2 subnets, data transfer 50GB | 4.50 |
| TOTAL | $98.50 |
For a more accurate estimate based on your specific configuration and usage patterns, we recommend using the AWS Pricing Calculator.
When you build systems on AWS infrastructure, security responsibilities are shared between you and AWS. This shared responsibility model reduces your operational burden because AWS operates, manages, and controls the components including the host operating system, the virtualization layer, and the physical security of the facilities in which the services operate. For more information about AWS security, visit AWS Cloud Security.
- Ensure only authorized personnel have access to the data. Follow the Official AWS IAM Security Best Practices when creating and giving access to users in the AWS Account
- Scoping least-privilege permissions can be simplified using
- IAM policy simulator to test the effect of policy changes
- IAM Access Analyzer to generate an IAM policy for an entity based on its access
- Access Logging
- MFA delete
- Versioning
- Default Encryption
- SSL Only
- Security best practices for Amazon S3
This Guidance uses the AWS Outposts service, which is not currently available in all AWS Regions. You must launch this solution in an AWS Region where AWS Outposts service is available. For the most current availability of AWS services by Region, refer to the AWS Regional Services List
Guidance for Multi Account Outposts Operations on AWS is supported in the following AWS Regions:
| Region Name | |
|---|---|
| US East (Ohio) | AWS GovCloud (US-West) |
| US East (N. Virginia) | AWS GovCloud (US-East) |
| US West (Northern California) | Middle East (Bahrain) |
| US West (Oregon) | Middle East (UAE) |
| Canada (Central) | Israel (Tel Aviv) |
| South America (São Paulo) | Africa (Cape Town) |
| EU (Frankfurt) | Asia Pacific (Singapore) |
| EU (Stockholm) | Asia Pacific (Sydney) |
| EU (Ireland) | Asia Pacific (Jakarta) |
| EU (Milan) | Asia Pacific (Tokyo) |
| EU (Spain) | Asia Pacific ( Seoul ) |
| EU (London) | Asia Pacific (Osaka) |
| Europe (Paris) | Asia Pacific (Mumbai) |
An AWS Outpost appliance configured with:
-
One AWS account
- Called the
Customeraccount - Owns the Outpost
- Called the
-
One or more accounts
- Called the
Consumeraccounts - Share their Amazon CloudWatch metrics with the
Customeraccount
- Called the
-
A local machine with the following software installed:
- Node.js v20.x
- pnpm v8.0.0+
- AWS CLI v2.15.45+
- AWS CDK v2.137.0+
Before you launch the Guidance, review the cost, architecture, security, and other considerations discussed above. Follow the step-by-step instructions in this section to configure and deploy the Guidance into your account.
- Configure AWS Command Line Interface (CLI)
- Clone the sample code repository to your local machine
- Configure Solution Stage
- Configure CICD pipeline
- Deploy Solution Stage
- Setup IAM Identity Center
- Configure Solution UI as a SAML Service Provider
- Create a SSO user and associate it with the SAML app
- Using the Solution - Signing into the UI
- Configure Soft and Hard Limits on Outposts EC2 instances for Member AWS Accounts
Please refer to the Implementation Guide for detailed instructions for guidance deployment, validation, troubleshooting and uninstall options.
Customers are responsible for making their own independent assessment of the information in this Guidance. This Guidance: (a) is for informational purposes only, (b) represents AWS current product offerings and practices, which are subject to change without notice, and (c) does not create any commitments or assurances from AWS and its affiliates, suppliers or licensors. AWS products or services are provided “as is” without warranties, representations, or conditions of any kind, whether express or implied. AWS responsibilities and liabilities to its customers are controlled by AWS agreements, and this Guidance is not part of, nor does it modify, any agreement between AWS and its customers.
This library is licensed under the MIT-0 License. See the LICENSE file. Need to clarify on the licensing model for this.