Let's assume in current AWS organization we have 2 developers accounts. From what I found it is a good practice to create a separate AWS account per environment and give access to these resources.
My question is:
What is the best way to share access to the resources (e.g. EC2, EKS, EFS) for multiple developers? Now I see only these two options:
Create a separate AWS account for each developer and allow to access some resources by applying roles to that developers AWS accounts.
Within a root account of each AWS environment create a IAM user account for each developer and from that point manage permissions by policies and user groups.
Please let me know. I appreciate any type of help! :)
You should setup AWS SSO. Either integrated with your existing identity provider, or using the built in user system.
https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html
This will allow you to create permission sets. Then, you can assign permission sets to users in particular accounts. This will create a role in the account which the users can assume
Related
I am looking to provide a separate sandbox environment for my users. A concept similar to GCP Projects. Requirements are:
Each user should have only access to his own resources.
User should not be able to see the resources of other users.
Users should be able to create overlapping resources e.g user1 can create a VPC with 10.1.0.0/16 and user2 should be able to create the VPC with 10.1.0.0/16.
If there are any other options besides IAM, I am happy to opt.
To achieve these goals, you should provision a separate AWS Account for each user.
Each Account can be linked back to a master account using AWS Organizations.
I want to separate out AWS resources for a multi-tenanted SaaS into separate accounts under an AWS Organization.
I have multiple OUs, split by function, e.g. logs, audit, compute. I will have SCPs associated with each OU.
Each tenant will have an account under each OU, which means as I add new tenants, each account will inherit the respective SCP to that OU.
To enable the developers to build out the platform and to be able to debug the running system, I want to use a hub-and-spoke type approach to access control using a federated IdP, similar to that described here: https://segment.com/blog/secure-access-to-100-aws-accounts/.
Specifically, I will have an identity account that will be bound to Okta. Users will authenticate into this account and then use sts:assume-role to escalate to roles in other accounts. Note that I want a separate identity account and not have users authenticate to the master account in the organization (thus within the organization, we have master and identity accounts, plus the OUs each with their respective accounts).
In order to programmatically create a new tenant, I need to create the tenant's accounts and place them in the correct OU, and therefore this needs to be done in the master account. I can do this by creating a role within the master account and having developers assume that role from the identity account.
How do I create roles in the new accounts that developers can assume from the identity account? Member accounts have a role called OrganizationAccountAccessRole automatically created (see here for details), but that is set to only be accessible from the master account and it enables access to everything in that account. How can I enable a developer within the identity account to programmatically create new accounts and the roles within them without granting such all-powerful permissions (they should have no more permissions to perform this task than necessary). I don't think I can assume a role in the master account from the identity account and then further assume a role in a third account?
EDIT: I am really only interested in answers that address the steps/configuration needed to achieve the solution I describe.
Cloudformation StackSets addresses this problem.
Basically, the steps are:
Set up roles in the child accounts that have permissions to deploy resource with a trust relationship to the role of the parent account (which you're deploying from)
Create a StackSet in parent account and deploy a Cloudformation template into it to selected accounts or Organizational Units (OU) or whole organization
StackSets supports AWS Organizations so you can select OU's instead of selecting individual accounts.
I would put forward that an elegant solution is to use the AWS Service Catalog product which allows you to create and manage catalogs of services that are approved for use in your AWS environment. As a matter of fact, the setup described in this AWS blog post can be customized to achieve what you want. It provides an example for creating an Account Builder product that when launched by your end users, uses an AWS Lambda script to:
Provision an AWS member account
Assume the Organizational Role for the account
Use a CloudFormation template to customize the account (in your case, to create the additional IAM roles)
You can customize it further to even delete the Organizational Role account when it's done.
Source code for the Lambda function along with the CloudFormation templates is provided that you can tweak to produce the exact behavior you are looking for.
Hope this helps.
This question may seem noobish, but I am pulling my hair out with our AWS organization. We have 3 separate root accounts connected in a single organization with IAM accounts and policies. We can only see instances from the default root account in the EC2 list (yes I am looking in the correct region). We have shared full account access across all of the others accounts and accepted the invitations. Our billing works perfectly, and funnels from our main root account (and I can see billing of the other separate accounts fine). Even our highest level of admin (literally a grant permission to everything) cannot see instances launched from one of the separate root accounts.
Our goal is our admin group should see EC2 instances from all 3 root accounts in the organization without switching accounts or credentials.
I know this has to be possible, but I have spent at least 2 hours and have not gotten far. Any suggestions on how to achieve this?
There are some terminology issues here. There are no root accounts or main root accounts in AWS Organizations. There is one management AWS account and there are zero or more member AWS accounts.
The term root refers to an AWS Organizations construct within the management account that is the parent container for all of the member accounts in your organization. See AWS Organizations Terminology and Concepts for more.
There are two ways to 'join' a member account to an organization:
an admin in the management account creates a new member account
an admin in the management account invites an existing account to become a member
If you use option #1, administrative control over the member account is automatically provided for you through an auto-created IAM role called OrganizationAccountAccessRole that you can use to grant users in the management account administrator access to the created member account.
If you use option #2, you do not automatically have full administrator control over the member account. If you want the management account to have full administrative control over an invited member account, you must create the OrganizationAccountAccessRole IAM role in the member account and grant permission to the management account to assume the role. To configure this, after the invited account becomes a member, follow the steps in Creating the OrganizationAccountAccessRole in an Invited Member Account.
#jarmod's answer provides a good overview of the terminology. I don't think it addresses your visibility problem.
Your assumptions appears to be that the master account of the organization should be able to directly see all resources of all accounts within the organization in its AWS console or via the API. That's not correct.
The resources in the accounts are generally still separated (allthough some things can be shared, but that's another matter), but you can change into these accounts by assuming a role in the accounts and then you're able to see the resources - this is what #jarmod is describing. After you changed into the accounts, you'll be able to see all resources within that respective account.
To learn more about organizations and their capabilities, here are some helpful links:
Documentation on Managing Access Permissions for Your AWS Organization
Services that can be used in conjunction with organizations
Resources within an AWS Account logically belong to that account and not to its organization.
I would like to write a policy for a new IAM user so that he can have a full access to AWS Services such as EC2, RDS, Cloud Front, S3, etc. However he should be only able to view (describe) and manage the instances/services that he launches. He can't see other existing/future instances/services created by other users.
This case happens in a company that wants to outsource some projects to an outsourced company. So the new IAM user is for giving access to the outsourced company to setup the staging & production environments in AWS that belongs to the company. How can I achieve this?
Thanks.
Best Regards,
Mark
AFAICT there are no conditions on creator.
One obvious alternative is having a separated dependent and linked account with consolidated billing. You can find some detail in the third scenario of this paper
https://media.amazonwebservices.com/AWS_Setting_Up_Multiuser_Environments_Education.pdf
[...] an administrator creates separate AWS accounts for each user who
needs a new AWS account. These accounts can optionally be linked
together and a single AWS account can be designated as the paying
account using consolidated billing, which provides a single bill for
multiple AWS accounts. The administrator then creates an IAM user in
each AWS account and applies an access control policy to each user.
Users are given access to the IAM user within their AWS account, but
do not have access to the root credentials of the AWS account.
Users can log into the AWS Management Console with their IAM
credentials and then they can launch and access different AWS
services, subject to the access control policies applied to their
account. Users have direct control over the access credentials for
their resources and they can also share these resources with other
users as necessary.
We have multiple AWS accounts (about 15-20), one AWS account per client that we are managing, each account having VPC having dedicated setup of instances. Due to regulatory requirements all accounts needs to be isolated from each other.
What is the best way to manage account credentials for these AWS accounts? Following is what I am thinking
-For any new client
Create a new AWS account
Create AWS IAM roles (admin, developer,
tester) for newly created account using cloudformation
Using master
AWS account, assume roles created in step 2 to access other
accounts.
Is this the right approact to manage multiple accounts?
Thanks in advance.
Facilitating IAM Roles is a very common and (I think) the right approach to manage authentication for multiple accounts indeed, AWS has just recently released resp. updates that greatly help with this, see Cross-Account Access in the AWS Management Console:
Many AWS customers use separate AWS accounts (usually in conjunction with Consolidated Billing) for their development and production resources. This separation allows them to cleanly separate different types of resources and can also provide some security benefits.
Today we are making it easier for you to work productively within a multi-account (or multi-role) AWS environment by making it easy for you to switch roles within the AWS Management Console. You can now sign in to the console as an IAM user or via federated Single Sign-On and then switch the console to manage another account without having to enter (or remember) another user name and password.
Please note that this doesn't just work for the AWS Management Console, but also with the AWS Command Line Interface (AWS CLI), as greatly explored/explained in by Mitch Garnaat in Switching Roles in the AWS Management Console and AWSCLI.
Furthermore, Mitch has followed up with a dedicated new tool 'rolemodel' to help with setting things up pretty much like you outlined, which you might want to evaluate accordingly:
Rolemodel is a command line tool that helps you set up and maintain cross-account IAM roles for the purpose of using them in the new switch role capability of the AWS management console. These same cross-account roles can also be used with the AWSCLI as described here.