A lot of us are busy solving business needs in smaller companies/startups and don't have the time nor expertise to learn every single AWS service and come up with a justification for utilizing it.
A lot of these tools actually make your life easier and faster in the long run.
ControlTower for example. Takes about 30 mins to setup on normal AWS (on GovCloud it was much more complicated, took me half a day). But then setting up new accounts is one click and it’s preconfigured with correct restrictions and security measures, which individually would take several hours per account to do without controltower. So it’s an easy savings from the beginning. The only real cost is the cost of AWS config. So if you’re using that already (for SecurityHub for example) then it’s nothing additional.
IAM Identity Center makes user management not only more secure but faster and easier. It will take half a day to maybe a full day to setup the first time. But now every new user will be a few clicks with access across multiple AWS accounts. You can remove them in one click across all accounts. So these are just really simple additions to your workflow that save you time and improve security.
SSM is another example. It’s adding a policy to your instance role and checking a box (or adding a flag in Terraform or CLI) and it’s enabled. It’s no additional cost. It saves you time because you don’t need to manage user accounts on the server anymore (they are managed broadly through IAM or PermissionSets). No more copying around SSH keys or rotating them when people leave. It improves security and saves you time.
There’s little (if any at all) downside to any of these things. It’s all upside. For the most part, these don’t even have any significant costs associated with them. They are generally provided for free where you’re only cost is the underlying resources that you’re managing, which of course your paying for regardless.
I should add. Which identity center (previously called AWS SSO) you can tie it into your G-Suite or Microsoft 365 and just have it create AWS accounts for new hires as you onboard them by making email accounts. When they leave it automatically removes their access.
Not to mention the quality of life on this tool is incredible. When you truly have tens or hundreds of AWS accounts, the SSO tool makes it so nice to jump between them as an actual user. And I’m actually a huge fan of the CLI integration to get CLI access to any of them with a simple command on the AWS CLI. It’s super slick and will save you probably 5 hours the first week you use it.
We started using it a year ago and it’s been a game changer at our organization. As a user I don’t ever want to go back to normal IAM. Such a pain.
I understand your frustrations with AWS, and I get that solutions for enterprises don't always work for smaller companies, but when someone describes a solution that reduces operational complexity while increasing security, they should get thanks. It's not their fault that AWS has too many services.
I think this is very important and generally poorly understood:
Scaling problems exist both up and down.
In exactly the same way there are solutions that work well in the small but become disproportionately expensive when you scale them up, there are solutions that are cost-effective on a large scale that become prohibitively expensive on a smaller scale.
The latter category includes a large chunk of enterprise-y cloud solutions.
This is an example of why the basic AWS Cloud Architect Associate exam is a good idea. It's how I learned about ControlTower (after using AWS for years)
