I like to create multiple environments in AWS Account rather than multiple accounts, how can this be done?
Use-case for this is each environment can have its own stack, so each environment will have DynamoDB, Lambda, services etc.
I could not find any documentation on how to create multiple environments in AWS Account
Related
Currently, I am using these services in AWS:
EC2 instance
S3 bucket
SES for transactional mails
I access S3 and SES services in the backend using an AWS_ACCESS_KEY_ID, and an AWS_SECRET_ACCESS_KEY which basically means I cannot share those keys with the developers.
I would like to create a separate development environment that doesn't give access to those services in production.
I have made some research and I found-out that I can create a whole new account for development environment and then synchronize billing between the two especially that I have AWS credits.
Before investing time in that, I wonder if it's possible to achieve my goal with using a separate IAM identity.
I am using different accounts for environment management by cloudformation.
I am considering the best deployment procedure
There are 2 ways i think of.
1.serverless setup(lambda,dynamodb,s3 etc) in different account, but deployment for different environments(UAT,Prod) is done on the same master account.
E.g.account master_admin for deployment of all environment in amplify. dev_admin and uat_admin are used for serverless setup for dev and uat environment separately.
2.both serverless setup and deployment are done on the same account
E.g.dev_admin is used for serverless setup and amplify deployment in dev stage, while uat_admin is for uat env serverless setup and amplify deployment
I am not sure the pros and cons for these 2 ways and which one is better
Creating different accounts for each environment (PRODUCTION, Stage), provide separation between the environments, but operational tasks are challenges.
create IAM users, groups, and policies for each account.
sign in to each account separately.
And you may need to think on:
AWS Organizations and Consolidated Billing.
Federate identity.
One account for all environments simplifies managing users and permission but needs IAM Groups, user, roles, and policies in addition tp Resource level policies, for access control,
and aws resources need to be tagged to distinguish between the environments.
I’m currently using cloudformation(JSON template) to manage different aws services.
The Aws services I use include S3, Lambda, API Gateway, Amplify, Dynamodb, IAM, Cognito.
The development phase is almost finished, now I'm finding ways to build UAT environments by using the existing cloudformation template.
Different ways come into my mind.
1.Create cloudformation stacks after switching to different countries
But some services like S3 are cross-country services.
If I create another S3 bucket with the same name, the bucket might not be successfully created.
2.Create new IAM User for creating cloudformation stacks
I am currently using the Root User account for the Service Management in the development stage(I know it's bad practise though). I can create a new IAM user(e.g. UAT_Admin) to create the UAT environment.
These are all methods I can think of. I need a method for the environment management for later creating UAT environments, and even the Production environment in the future.
Any comments or suggestions?
For greatest separation of different development environments (dev, testing, uat, prod) often different accounts are used. This provides greatest separation of resources without risking that someone from testing will accidentally delete/modify production services.
To make it easier to work with different accounts AWS provides AWS Organizations as well as AWS CloudFormation StackSets. The StackSets would enable you to use same template accorss different accounts.
I have two accounts.
Account A : This has some aws resources which should not ideally have any downtime. This is registered under aaa#gmail.com
Account B : This account does not have any aws resources, but it has some aws credits. This is registered under bbb#gmail.com
I have the access to both accounts/both emails. How I can merge those two accounts so that I can utilize aws credits.
Any method with no downtime is preferred. After the merge/migration, I am willing to keep any account as my primary account.
Thank you.
Based on AWS knowledge center article your requirement doesn't seem to be supported:
Issue
I have resources on multiple AWS accounts, and I want to merge all the
resources together under one account. Is this possible?
Resolution
It's not possible to merge multiple AWS accounts together.
There is suggestion which might help you
However, you can use AWS Organizations to manage the permissions for
multiple AWS accounts, and then combine the billing in one
consolidated bill.
You can also transfer some AWS resources between AWS accounts. For
example, with Amazon Elastic Compute Cloud (Amazon EC2), you can share
custom AMIs between accounts, which allows you to transfer instances
between accounts. Because each AWS service is unique, the way to move
resources between accounts varies by service. For more details, see
AWS Documentation.
We have multiple AWS accounts (about 15-20), one AWS account per client that we are managing, each account having VPC having dedicated setup of instances. Due to regulatory requirements all accounts needs to be isolated from each other.
What is the best way to manage account credentials for these AWS accounts? Following is what I am thinking
-For any new client
Create a new AWS account
Create AWS IAM roles (admin, developer,
tester) for newly created account using cloudformation
Using master
AWS account, assume roles created in step 2 to access other
accounts.
Is this the right approact to manage multiple accounts?
Thanks in advance.
Facilitating IAM Roles is a very common and (I think) the right approach to manage authentication for multiple accounts indeed, AWS has just recently released resp. updates that greatly help with this, see Cross-Account Access in the AWS Management Console:
Many AWS customers use separate AWS accounts (usually in conjunction with Consolidated Billing) for their development and production resources. This separation allows them to cleanly separate different types of resources and can also provide some security benefits.
Today we are making it easier for you to work productively within a multi-account (or multi-role) AWS environment by making it easy for you to switch roles within the AWS Management Console. You can now sign in to the console as an IAM user or via federated Single Sign-On and then switch the console to manage another account without having to enter (or remember) another user name and password.
Please note that this doesn't just work for the AWS Management Console, but also with the AWS Command Line Interface (AWS CLI), as greatly explored/explained in by Mitch Garnaat in Switching Roles in the AWS Management Console and AWSCLI.
Furthermore, Mitch has followed up with a dedicated new tool 'rolemodel' to help with setting things up pretty much like you outlined, which you might want to evaluate accordingly:
Rolemodel is a command line tool that helps you set up and maintain cross-account IAM roles for the purpose of using them in the new switch role capability of the AWS management console. These same cross-account roles can also be used with the AWSCLI as described here.