I need a best practice how to automate listing of all users at once under AWS organization multi accounts using AWS-CLI with any script?
I have tried all possible AWS CLI commands but they are all for manual steps and for individually listing users. Also, I tried to get credentilas report for all accounts, it didnt work for all, I again had to go with manually for individual account to get credential report. We have more then 300 accnts under AWS-organization so I want to automate this task, not manually
I’m not aware of a tool that can accomplish this (but that doesn’t mean that it doesn’t exist).
That being said, I would recommend a different approach to user management across a multi-account organisation:
Create exactly one account where all user accounts are managed and into which users log in.
Allow usage of other accounts only through assuming roles.
Disallow creating users in other accounts via SCP.
I understand that you already have an existing organisation with lots of accounts and probably even more users. Setting this up would probably be a very painful activity; especially if users are used for technical purposes (e.g. deployments) as well. But it might be worth the effort as you will have a much easier user management in the future.
Related
I am using AWS and serverless framwork at work. Work credentials are stored in the ~/.aws/credentials file.
What is best practice to be able to use the AWS and serverless CLI from the same computer account without risking deploying my educational projects to the work account, or even worse, deploying work stuff on my educational account.
It can't be that I always need to specify the credentials I want to use whever I write an aws/serverless command, because sometime I will forget. It is okay if using the cli tools in the educational project becomes more cumbersome.
All your risk is coming from the fact that you are wanting to do demos using your personal AWS account with your work computer. I for example have a profile on my work computer, which relates to a limited read only role of my personal AWS account to some code commit repos and s3 buckets. Any more than that would be a risk, and depending on the organization you work for, completely unacceptable.
The best solution would be that your work gives you a sandbox account for you to demo and play around with. This is what my work does as well. I would fully pursue that avenue before going ahead using your own account.
If you do go ahead with using your own account there are a few choices. Profiles have been around for a while and that has been mentioned. But personally I have found it easy to make a mistake. Limiting permissions of your cli to your work account will mitigate this. Doing a Read operation on the wrong account is not as bad as deleting something. But I've found that some cli tools will have different conventions with what profile they use, so this can be dangerous.
IMO the best option is to Configure AWS SSO. Long-lived iam CLI users are considered bad practice anyway, and since AWS has come out with this you could even say they are redundant. Now with the new version of the CLI you can sign in to an AWS account, from the CLI via an SSO page with optional MFA enabled, so you don't need CLI users in iam. This way you don't need to store any long-lived CLI credentials, or remember a profile. Sign into one AWS account at a time and you will be signed in for an hour. This minimizes the chances of you performing actions in the wrong account, and there will be no risk of accidentally using the wrong profile. If you come back to your computer the next day, run some CLI command before remembering to specify the correct account, it won't matter because you will not be signed in. You need to keep in mind that with this approach you might have 2 different SSO pages (one for personal and one for work), and you also need your work account to configure SSO.
We are in the process of transferring what we currently have in our on-premises infrastructure to the cloud and taking advantage of what AWS has to offer. We are in the process of planning how we can make this process as smooth as possible, so one of the first things that came to mind was, What are the best possible solutions to implement what we currently have in our premises with users registered in AD and how we will be able to manage them, e.g. we create a new user in AD and automatically we can see that new user in our AWS environment so we don't have to manage them on premises as well as AWS and so they can sync?
The next question which I think the answer is Control Tower (and that's why I'm sending my question on this topic), but I would like to confirm and see if there are any other options out there that we might me missing.
As I said earlier, we are in the process of transferring our current on-site infrastructure to the cloud, so at this time we have three environments where we manage development: Development, Staging and Production. We thought of having each of them separated in their own AWS account so we can manage them individually but also we want a way to easy switch accounts between them and possibly get one consolidated bill for all of those three accounts but with the details in each account, and be able to easily make them communicate resources in one account to resources in another account. What would be the best solution for these challenges in AWS if someone can suggest best practices on these?
Thank you so much for your help!
For the AD connection, you can use the AWS AD Connector service. The official AWS blog has a tutorial: https://aws.amazon.com/blogs/security/how-to-connect-your-on-premises-active-directory-to-aws-using-ad-connector/
Billing for a multi-account organization is pretty straightforward, all sub-accounts pay through the root account so you won't have to worry about separation of billing.
Communicating between the environments (accounts), however, requires a bit more legwork. You can use a hub and spoke model and reach out to all environments from an individual environment, or, you can create trust relationships between roles and resources via IAM policy in different accounts and map them to one another.
We are planning to use AWS codecommit in our organisation.
Our scenario is,we have a IAM user named "codeAdmin", who can create repositories.
My question is how to handle the developers in the AWS codecommit. We have the following scenarios in consideration
for every developer create a new IAM account (added under the required group) and then provide access to the required codecommit repositories.
This way,if we have 30 developers,we need to create 30 IAM users.
or to give each developer the acccessKey and accessId of a single IAM developer account.
In this way,if we have 30 developers, we need to create only 1 IAM user and share the accessKeys/Ids to all.
Which approach from the above is best suited? Or is there any other best practices to be followed?.
Create separate iam user for each user is better.
First, different users may have different permissions based on their experience and position. For example, maybe you only want admin user have the ability to delete the repository.
Second, using different users can help your team distinguish which developers create a pull request, which developers comments on the pull request. If 30 developers share the same iam user, you won't know who make the comments, create pull request, merge the pull request because they are always the same user.
Amazon's best practice is to create separate account for each user. There are many benefits to this starting from permissions based on user's experience/position to (most probably the most important) traceability. If you only have 1 account and somebody messes things up (hopefully won't happen) you have no idea who it was and what was the mistaken driven by.
You can read up a bit on this :https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
Best regards!
I have several AWS Console logins provided by various unrelated clients. If i'm working on multiple clients at once this means essentially using multiple browsers and their private mode to keep them all open.
Does anybody have a more elegant solution to this? They are for different clients so AWS Organisations is not an option.
Thanks!
Yes!
The AWS Management Console allows you to switch roles.
Create a role in each account you would like to use
Establish a trust relationship between that role and your normal IAM User
In the management console, supply the ARN of the role you'd like to switch to
Switch to it!
However, I suspect that you can't have multiple tabs open to different roles -- but it makes it much easier to switch in and out of different roles without having to login to each one.
See: Switching to a Role (Console) - AWS Identity and Access Management
What you are doing is the correct way of doing it, though I would suggest you another way.
Login chrome with separate Gmail account create a separate user for browser or Mozilla pocket account you can now use them to open multiple aws account
Each and every console account you create or login is eligible to have 3 or more accounts merged with it. So in complete you can have more accounts handled with the same user but different login credentials.
Hope my answer might help you in some way.
All the best..😊
You can even check with AWS organization, which helps you in creating additional 3 root accounts under same billing details
we are using aws extend switch roles chrome extension at my work place. it's very handy.
https://chrome.google.com/webstore/detail/aws-extend-switch-roles/jpmkfafbacpgapdghgdpembnojdlgkdl?hl=en
It is useful when assuming roles especially cross accounts.
In your case, its totally unrelated accounts from unrelated clients. I guess it would be easier to use separate chrome profiles one per client. Or you can use Ghost Browser, it's a chromium based browser allows to create work spaces, you can even have different sessions in different tabs.
hope this helps.
I am a freelance dev, and I work a lot from my EC2 instances. Now I also have to manage instances for other people, and I find quite a pain to logout/login again to switch consoles.
Is there a way I can access both my personal AWS console and the ones I login through IAM? I don't mind using 2 tabs, having them in one single console being the optimal solution.
The only way I've found to do this is to use different browsers. Obviously this doesn't scale well, but will handle 2 accounts.
Using the latest AWS CLI tools, you can use multiple profiles and specify the profile as a parameter, so that might be a better way to manage your infrastructure.