I am using different accounts for environment management by cloudformation.
I am considering the best deployment procedure
There are 2 ways i think of.
1.serverless setup(lambda,dynamodb,s3 etc) in different account, but deployment for different environments(UAT,Prod) is done on the same master account.
E.g.account master_admin for deployment of all environment in amplify. dev_admin and uat_admin are used for serverless setup for dev and uat environment separately.
2.both serverless setup and deployment are done on the same account
E.g.dev_admin is used for serverless setup and amplify deployment in dev stage, while uat_admin is for uat env serverless setup and amplify deployment
I am not sure the pros and cons for these 2 ways and which one is better
Creating different accounts for each environment (PRODUCTION, Stage), provide separation between the environments, but operational tasks are challenges.
create IAM users, groups, and policies for each account.
sign in to each account separately.
And you may need to think on:
AWS Organizations and Consolidated Billing.
Federate identity.
One account for all environments simplifies managing users and permission but needs IAM Groups, user, roles, and policies in addition tp Resource level policies, for access control,
and aws resources need to be tagged to distinguish between the environments.
Related
I like to create multiple environments in AWS Account rather than multiple accounts, how can this be done?
Use-case for this is each environment can have its own stack, so each environment will have DynamoDB, Lambda, services etc.
I could not find any documentation on how to create multiple environments in AWS Account
Currently, I am using these services in AWS:
EC2 instance
S3 bucket
SES for transactional mails
I access S3 and SES services in the backend using an AWS_ACCESS_KEY_ID, and an AWS_SECRET_ACCESS_KEY which basically means I cannot share those keys with the developers.
I would like to create a separate development environment that doesn't give access to those services in production.
I have made some research and I found-out that I can create a whole new account for development environment and then synchronize billing between the two especially that I have AWS credits.
Before investing time in that, I wonder if it's possible to achieve my goal with using a separate IAM identity.
I’m currently using cloudformation(JSON template) to manage different aws services.
The Aws services I use include S3, Lambda, API Gateway, Amplify, Dynamodb, IAM, Cognito.
The development phase is almost finished, now I'm finding ways to build UAT environments by using the existing cloudformation template.
Different ways come into my mind.
1.Create cloudformation stacks after switching to different countries
But some services like S3 are cross-country services.
If I create another S3 bucket with the same name, the bucket might not be successfully created.
2.Create new IAM User for creating cloudformation stacks
I am currently using the Root User account for the Service Management in the development stage(I know it's bad practise though). I can create a new IAM user(e.g. UAT_Admin) to create the UAT environment.
These are all methods I can think of. I need a method for the environment management for later creating UAT environments, and even the Production environment in the future.
Any comments or suggestions?
For greatest separation of different development environments (dev, testing, uat, prod) often different accounts are used. This provides greatest separation of resources without risking that someone from testing will accidentally delete/modify production services.
To make it easier to work with different accounts AWS provides AWS Organizations as well as AWS CloudFormation StackSets. The StackSets would enable you to use same template accorss different accounts.
We have two AWS account say as Dev and Prod. In Dev account,our code build,code-pipelines and Code-deploy services is configured with S3. However, In Prod account an auto-scaling group is running for the production websites.
As per our requirement, We want to deploy the code from dev account to Prod account with cross-account deployment. Basically, The code-build and code-pipelines will execute the code and by using code-deployment it will deploy in the Prod account's Auto-scaling group.
Can someone give us some insight about to achieve the same.
Thanks
CodePipeline supports cross-account actions, however it's not currently configurable via the console and requires some extra roles to be configured.
Here's a guide on how to make it work: https://docs.aws.amazon.com/codepipeline/latest/userguide/pipelines-create-cross-account.html
As of today, CodeDeploy doesn't support cross-account deployments. Depending on what your goal is, you might be able to achieve it another way.
I want to deploy a bundle in one account to another account
If your S3 bucket allows access to the second account, CodeDeploy doesn't care what account your bundle is in as long as everything can access it. Per #TimB, it looks like CodePipelines can support that behavior.
I need to initiate a deployment in one account to another
If you have a reason why the deployment must be in one account to another, you could set up the instances in the second account to be on-premise instances, though this is not a great solution.
We have multiple AWS accounts (about 15-20), one AWS account per client that we are managing, each account having VPC having dedicated setup of instances. Due to regulatory requirements all accounts needs to be isolated from each other.
What is the best way to manage account credentials for these AWS accounts? Following is what I am thinking
-For any new client
Create a new AWS account
Create AWS IAM roles (admin, developer,
tester) for newly created account using cloudformation
Using master
AWS account, assume roles created in step 2 to access other
accounts.
Is this the right approact to manage multiple accounts?
Thanks in advance.
Facilitating IAM Roles is a very common and (I think) the right approach to manage authentication for multiple accounts indeed, AWS has just recently released resp. updates that greatly help with this, see Cross-Account Access in the AWS Management Console:
Many AWS customers use separate AWS accounts (usually in conjunction with Consolidated Billing) for their development and production resources. This separation allows them to cleanly separate different types of resources and can also provide some security benefits.
Today we are making it easier for you to work productively within a multi-account (or multi-role) AWS environment by making it easy for you to switch roles within the AWS Management Console. You can now sign in to the console as an IAM user or via federated Single Sign-On and then switch the console to manage another account without having to enter (or remember) another user name and password.
Please note that this doesn't just work for the AWS Management Console, but also with the AWS Command Line Interface (AWS CLI), as greatly explored/explained in by Mitch Garnaat in Switching Roles in the AWS Management Console and AWSCLI.
Furthermore, Mitch has followed up with a dedicated new tool 'rolemodel' to help with setting things up pretty much like you outlined, which you might want to evaluate accordingly:
Rolemodel is a command line tool that helps you set up and maintain cross-account IAM roles for the purpose of using them in the new switch role capability of the AWS management console. These same cross-account roles can also be used with the AWSCLI as described here.