I have a client with an AWS account already supporting an existing production environment. They've contracted with us to build a new and large ecosystem of software but do not want to give us administrative control of their existing account. The solution we're going with to solve this is an AWS Organization and a new AWS Account for this new software.
My question is, will logging into their existing AWS Account and creating a new Organization be disruptive to existing production systems? I'm sure the answer is no, but I want to be validated beforehand.
Of course if we create SCPs and OUs we can disrupt services but I'm just asking about the act of creating the Organization.
I've done a ton of looking and even asked someone with several AWS certifications that wasn't sure of this so I hope someone here can provide some info on this
Thanks
Well, I can't say for sure if it will be disruptive for someone else, but as expected, for us at least, there were no production interruptions from creating an Organization (without any OUs and SCPs) and then adding a new AWS Account under that organization.
For context, our client has a few EC2 instances running, an RDS database of some type and some SQS queues among other services in their account.
Related
Following Coursera Architecting with Google Kubernetes Engine for switching to Service Account.
It says create and download a key file and authenticate using the key. Is this the common way in GCP? There will be many keys created by developers and downloaded to many laptops or servers scattering the keys in many places, which seems to be not secure manner.
Answering your question, yes. The service accounts are the common way to authenticate in GCP.
There are two different service account types, and the recommendation is to use the second one:
User Managed Service Accounts: to authenticate you will then need a “password” that comes in the form of Service Account Key (json file), and if you leak the service account key, the service account can be considered compromised.
Using keys implies that you are in charge of their lifecycle and security, and it’s a lot to ask because:
You need a robust system for secrets distribution.
You need to implement a key rotation policy.
You need to implement safeguards to prevent key leaks.
Google Managed Service Account: Google Managed Service Accounts, are SAs for which you don’t need to generate keys and your applications can just assume their identity. No keys are involved: the VM will continuously request short lived authorization tokens from the metadata service.
Documentation
NO, no and no, don't use service account key file. As you smell it, you are right, it's a terrible thing for the security.
Today, there are several way to prevent the service account key usage, even if, in some corner case, you need them.
I have wrote bunch of articles on that topics:
the limits
the service account credential API
and a fight against a Google dev advocate and one of his article
Because YES, even Google tutorials, courses, documentation (...) promote that bad practice for years and continue. It was my nightmare in my previous company, and I increased my knowledge and skill to prevent key usage and find workarounds. Let me know your use case, I will try to help your the most
We are in the process of transferring what we currently have in our on-premises infrastructure to the cloud and taking advantage of what AWS has to offer. We are in the process of planning how we can make this process as smooth as possible, so one of the first things that came to mind was, What are the best possible solutions to implement what we currently have in our premises with users registered in AD and how we will be able to manage them, e.g. we create a new user in AD and automatically we can see that new user in our AWS environment so we don't have to manage them on premises as well as AWS and so they can sync?
The next question which I think the answer is Control Tower (and that's why I'm sending my question on this topic), but I would like to confirm and see if there are any other options out there that we might me missing.
As I said earlier, we are in the process of transferring our current on-site infrastructure to the cloud, so at this time we have three environments where we manage development: Development, Staging and Production. We thought of having each of them separated in their own AWS account so we can manage them individually but also we want a way to easy switch accounts between them and possibly get one consolidated bill for all of those three accounts but with the details in each account, and be able to easily make them communicate resources in one account to resources in another account. What would be the best solution for these challenges in AWS if someone can suggest best practices on these?
Thank you so much for your help!
For the AD connection, you can use the AWS AD Connector service. The official AWS blog has a tutorial: https://aws.amazon.com/blogs/security/how-to-connect-your-on-premises-active-directory-to-aws-using-ad-connector/
Billing for a multi-account organization is pretty straightforward, all sub-accounts pay through the root account so you won't have to worry about separation of billing.
Communicating between the environments (accounts), however, requires a bit more legwork. You can use a hub and spoke model and reach out to all environments from an individual environment, or, you can create trust relationships between roles and resources via IAM policy in different accounts and map them to one another.
In our team, we are using AWS as our main cloud provider and currently, we have 3 projects hosted on their platform.
We are about to have 2 more projects in the next weeks, but first, we want to organize our projects, because our current organization is a little bit disordered.
We want our projects to be organized following these rules:
Each project must have a staging and production environment.
Each project is independent of each other so that it is not possible to see the resources of a project from within another project, i.e., VPC and S3 Buckets.
The client is responsible for paying the bills of the project (staging and production environment).
Even though the client is responsible for paying the bills, we must have access to the environments to deploy our code and to do other tasks related to development, testing, and operations.
We can assign a team of developers to each project. It should be possible for a developer to be in one or more projects at the same time. Plus, it should be possible to move our developers between projects and to remove their access from a project.
So, is it possible to organize projects in AWS under the rules previously mentioned?
If so, what are good resources to learn how to do this?
If not, what cloud providers allow to organize projects the way we want?
Thanks for your attention and time. I'm looking forward to your replies.
The fact that you want project-specific charges to go to customers and you want each project to be independent indicates that your best choice would be to use a separate AWS Account for each project (or each client).
By keeping projects in separate AWS accounts:
Each account will only have costs associated with a particular project
Resources in each account will be kept separate
User permissions in each account will be kept separate
You can create staging and production environments within the same account (see below)
You can have multiple accounts joined together by using AWS Organizations:
AWS Organizations is an account management service that enables you to consolidate multiple AWS accounts into an organization that you create and centrally manage. AWS Organizations includes account management and consolidated billing capabilities that enable you to better meet the budgetary, security, and compliance needs of your business. As an administrator of an organization, you can create accounts in your organization and invite existing accounts to join the organization.
Some companies go one step further and also keep staging and production in separate AWS accounts. They do this because they wish to keep production resources and users away from non-production resources and users. This reduces the chance of somebody accidentally changing Production when they meant to update Staging. While you can use IAM permissions to reduce such a thing from happening, keeping staging and production in separate accounts guarantees that people with only staging permissions will not be able to impact production.
Your company should maintain ownership of all of the accounts so that you can manage and control them. Each month, you will receive a consolidated bill, but it will show costs broken down by account. Thus, you will know how much to charge your clients.
The developers will need separate logins to each AWS account. So, if they wish to work on Project 1, they will need to login to the AWS account for Project 1. They then have access to the resources in Project 1, but not any of the other projects. When they wish to work on another project, they will need to re-login with credentials for the other project's AWS account. You might think that this adds extra work, but it also adds extra security and ensures that each client's resources are kept totally separate.
A final benefit of using separate accounts is that, in future, if a client wishes to take control of their systems, you can assign the AWS account to them without having to do any work to separate their resources from other clients. It is like handing over the keys of a house — they can move in without anyone having to move out.
To give some background here, my company has not implemented AWS Organizations. We have this problem where many of the same environments (accounts): Prod, Dev, and QA all have the same policies and users. When one policy is updated in one environment, we must either manually go into the others or run a script depending on what's being done.
Is this one of the use cases for AWS Organization? We can update one central policy and "append" that policy to the Units? If this is not the exact usage of AWS Organization, is there another way we can duplicate this action without the need to interface with the AWS API?
Thanks!
For anyone stumbling upon this question now, we now leverage AWS Control Tower for this.
I am a longtime Amazon.com customer, and now I am interested in using Amazon Web Services (AWS). So I have a question on creating an AWS account.
Do I have an option to create an AWS account that's completely separate from my Amazon.com account (with different email addresses)?
What would happen if I use the same email address for AWS and Amazon.com?
Soooo..... Ages ago... I made an AWS account, it will not let me log in to normal amazon.com with that account telling me every time my password is incorrect which it is not.... attempting to create a new account with same email asks me if i want to disable my old account..... so yea it seems the answer is:
YES: simply create the account from AWS.
If creating accounts at amazon.com THEN aws with same e-mail, you will have one linked account to log in to both.
On the other hand if both are created seperately on different e-mails, and somehow one gets compromised the other doesn't, but then you have two different logins to deal with.
So as it turns out they lied about it disabling my aws account, I decided to try it, and now I have two accounts under the same e-mail, with different passwords... So if you want that, create on aws first, then create with same email on amazon.com and when it says it will disable the other account, don't worry it won't, however it will require you to choose a different password.
Oh and one last thing... If I try to log into AWS with Amazon.com password it brings me to create a new AWS account and it's a pain to get out of that screen...
My Amazon Retail account was compromised last week. I closed it and guess what - no access to my Amazon AWS account. On querying this I was told (by Amazon) that you have to have an Amazon Retail account and that it has to be THE SAME account as your AWS one.
So a service that is a honeypot for criminals gives them the keys to your Web based business, and Amazon have zero interest in separating the two. That is nuts - sites are moving next week, can't take the risk.
People have been shouting about it on the Amazon forum for years, so I think that whilst there may be workarounds the fundamental principle must be correct. I can't risk playing about with workarounds for something as dumb as this.
These are both great questions
First,
Yes, you can and SHOULD create an aws root account email that is unique for your AWS account(s). While approaches may vary, and your email server may filter out what would otherwise be perfectly applicable emails, here is how I do it
I create an email account that is ONLY for my AWS root accounts.
AWS Requires EVERY AWS account to have a unique email
here is my pattern: myname.aws.accts#gmail.com
I have an admin (Organization) account, so I use the following email: myname.aws.accts+admin#gmail.com
I have one prod, one test and one dev account. Here are the following email patterns:
myname.aws.accts+prod#gmail.com; myname.aws.accts+test#gmail.com; myname.aws.accts+dev#gmail.com.
I've also used the pattern: myname.aws.accts+123456789012#gmail.com where 123456789012 represents the AWS Account number.
These are all interpreted as unique by AWS but route to the same email account: myname.aws.accts#gmail.com
One last comment. I have another client who uses MS Exchange and for some reason the email+extension#mybiz.com has the 'extension' portion filtered out, and these emails do NOT process. In this biz we worked around this by creating alias' emails that are still unique to AWS and aliased them in the exchange server to the awsadmin# email. does the job. probably not best practice, but in a pinch...
Second
Yes. You can link your AWS and amazon.com accounts to the same root user email.
DON'T DO IT
This is generally an anti-pattern. NOT best practice, and fraught with problems...
I know of no good reason to do this. Once done, it is nigh near impossible to convince AWS - AMAZON to unlink these accounts. You WONT be able to separate them yourself - they are strongly coupled once the link is made. you might succeed in separating your AWS and AMAZON account if you are a paying customer of AWS business or Enterprise level support, and even then, they may tell you to just delete the AWS account if you don't want AWS and amazon shared.
Once the two accounts - store and AWS - are created with the same email account, I believe they are forever linked via a single master Amazon account, and there seems to be no way to separate them: If you change the password or email address on one, it reflects in the other.
When my only AWS use was an unimportant VM with a website, it was no big deal, but once I start hosting higher-value stuff, it gets a lot more scary.
As far as I can tell, the only way to separate them is to create a new AWS account (with different email address) and transfer your resources from the old to the new.
This appears to be a painful exercise, you can't directly move an EC2 instance, though you can transfer a snapshot of an image, but everything else I don't know about yet. I would be surprised if I could transfer a fixed Elastic IP, which means changing an IP address I've been using for a long time.
In the short term - as far as I can tell - the only way to secure AWS from your consumer account compromise is to put MFA on the AWS account and then use IAM for access. That's not a bad idea anyway.
I'll be creating a new AWS account (with different email address) for all stuff going forward, and transitioning old-to-new as I get to it, but this looks like a miserable (and unbillable) exercise.
It's just crazy that Amazon doesn't appear to have a way to address this.
Yay for me being an early adopter?
EDIT: It might be possible to link two accounts via "Organizations"; that might give some options for migration that are a bit less painful. Not sure yet.
EDIT Nov 2022: Amazon appears to have rolled out split credentials: when I logged into my unified account - same email for store and AWS - it invited me to create a diff password for the AWS stuff. This is wonderful!
So your AWS and Amazon are the same accounts so you cannot create a separate retail account with the same address. (Though you can get around it by doing email+SOMETHING#domain.toplevel) So if your amazon.com account gets compromised, they theoretically have access to your AWS account.
To keep your AWS account secure, there are a few things you can do. Firstly and probably most importantly, you need to make sure you have MFA setup on the account. In fact, you should do this whether you use amazon.com with the same account or not.
I heavily suggest looking at the Trusted Advisor Best Practice Checks on AWS' website.
The rule of thumb here: they are not interchangeable.
If you created AWS account it will not allow you to login automatically to Amazon.com.
The same with consumer account, it doesn't provide access to AWS by default, because AWS has separate verification process.
Amazon Music account means access to consumer Amazon.com but not to AWS.
Though, I never tried to delete AWS and don't know what happens if you delete either of them, whether this causes deletion of the other or not.