I have two accounts.
Account A : This has some aws resources which should not ideally have any downtime. This is registered under aaa#gmail.com
Account B : This account does not have any aws resources, but it has some aws credits. This is registered under bbb#gmail.com
I have the access to both accounts/both emails. How I can merge those two accounts so that I can utilize aws credits.
Any method with no downtime is preferred. After the merge/migration, I am willing to keep any account as my primary account.
Thank you.
Based on AWS knowledge center article your requirement doesn't seem to be supported:
Issue
I have resources on multiple AWS accounts, and I want to merge all the
resources together under one account. Is this possible?
Resolution
It's not possible to merge multiple AWS accounts together.
There is suggestion which might help you
However, you can use AWS Organizations to manage the permissions for
multiple AWS accounts, and then combine the billing in one
consolidated bill.
You can also transfer some AWS resources between AWS accounts. For
example, with Amazon Elastic Compute Cloud (Amazon EC2), you can share
custom AMIs between accounts, which allows you to transfer instances
between accounts. Because each AWS service is unique, the way to move
resources between accounts varies by service. For more details, see
AWS Documentation.
Related
I have some engineers that have built some things using EC2 instances. I built these instances logged in with my AWS administrator account (Root user?). Now, I want to create a PROD "container" that only certain users can see. Secondly, I'd like billing for this to be completely separate, if possible, so we can bill the customer directly. I'm looking for a structure like this:
Customer 1
PROD
EC2 Instance 1
EC2 Instance 2
DEV
Customer 2
PROD
DEV
And then separately, I'd like to be able to say "Engineer 1 can access Customer 1 - DEV" or "Engineer 2 can access Customer 2 - PROD".
I know how to do this in Azure, but AWS is confounding me. What would the containers/folders above be called? Organizations?
You should setup different AWS Accounts for each application environment, e.g. "Customer 1 - DEV", "Customer 1 - PROD", "Customer 2 - DEV" and so on. This way you can leverage AWS IAM on the account level to grant individual developers access and have a clean boundary for billing as well. I'd stay away from using tags for cost allocation, as that's usually very hard to maintain clean.
To setup multiple AWS accounts, you need AWS Organizations. Organizations allows you to build a hierarchy of multiple AWS Accounts, just like an Azure Tenant with multiple Azure Management Groups and Subscriptions. In an AWS Organization you can designate one account as the "payer account" and that's the one that receives all the consumption charges for all managed accounts in your org. These charges are broken down per account, so you can easily chargeback that cost to your customers.
If you have more than a handful of accounts, I'd recommend building a landing zone. AWS Control Tower is a good point to get started though there are other options.
Use AWS Organizations and IAM Identity center. Create different accounts (and organizational units) for dev, prod, staging etc. workloads and grant access rights to certain accounts only for certain individuals. Even if the all accounts belong to same organization, you will be able to get cost reports for each account.
Rather easy to implement after reading documentation for those services.
Check also AWS Control Tower which can be used to create a secure landing zone for use case you described.
The current script checks the status of each AWS ACM certificate in every region and if ACM is expired, it invokes auto renewal for eligible ACM certs. Can you advise how I can scale this script to work the same way for multiple AWS accounts please?
With AWS Organizations, you can create a user in one of the linked accounts and give it the appropriate access to all the accounts in the organization. Here the brief description from the service page:
AWS Organizations helps you centrally govern your environment as you grow and scale your workloads on AWS. Whether you are a growing startup or a large enterprise, Organizations helps you to centrally manage billing; control access, compliance, and security; and share resources across your AWS accounts.
In your case, you can have one IAM user or Role with access to the appropriate ACM action of all the linked accounts as well as the access to list all the accounts in the organization. With that you can simply loop through all the accounts and perform the check.
Can we use AWS Lambda for cross account activity. For example, I want to store a Parameter in SSM Parameter store in multiple AWS Accounts. Imagine I have a Master AWS Account which has access to all other AWS Accounts. Now can I write a python script for storing the parameter and make use of AWS LAMBDA to perform this.
Yes Definitely. AWS services are by default explicitly denied access from anywhere. Thats where AWS IAM (Identity & Access Management) came into the picture.
Delegate Access Across AWS Accounts Using IAM Roles
Let say you have a master account that has a services needed by multiple accounts. The first thing you will do is provision the resource from that master account and then by doing so you are applying right policies that will give an access to the other accounts.
Lastly, some other services are protected by layers of protection such as NACL's for network layer protection and Security Groups for application layer protection. For this services that are protected by layers mentioned, you simply just need to check if these layers accepts and send traffic from the application ports that you're are using.
e.g. EC2 Security Group - Ingress Rule: 80, 443 0.0.0./0
Imagine I have a Master AWS Account which has access to all other AWS Accounts.
This is usually setup by AWS Organizations. It helps with management and governance of all your accounts in a unified way.
System manager, which include Parameter store has special provisions for working with AWS Organizations:
You can synchronize operations data across all AWS accounts in your organization by using Organizations and Systems Manager Explorer.
The generall cross-account concepts have been addressed by other answer.
I have one AWS user account which is/was used to created some resources for my applications earlier, Now i want to delete that AWS account, so want to list down all resources created from this account or any resources which are linked with this account to analyze impact of deleting aws account.
All resources are in one region only.
There is no single command that can list all resources in an AWS Account.
You would need to use the AWS management console or makes API calls to each service, in each region, to retrieve a listing of created resources.
A good place to start would be the billing console, which can show you which services have been consumed in which region. You can then go to each of those services and regions to view the resources. (Not all resources incur a charge, so they might not appear on the billing console. For example, security groups are not charged.)
We have multiple AWS accounts (about 15-20), one AWS account per client that we are managing, each account having VPC having dedicated setup of instances. Due to regulatory requirements all accounts needs to be isolated from each other.
What is the best way to manage account credentials for these AWS accounts? Following is what I am thinking
-For any new client
Create a new AWS account
Create AWS IAM roles (admin, developer,
tester) for newly created account using cloudformation
Using master
AWS account, assume roles created in step 2 to access other
accounts.
Is this the right approact to manage multiple accounts?
Thanks in advance.
Facilitating IAM Roles is a very common and (I think) the right approach to manage authentication for multiple accounts indeed, AWS has just recently released resp. updates that greatly help with this, see Cross-Account Access in the AWS Management Console:
Many AWS customers use separate AWS accounts (usually in conjunction with Consolidated Billing) for their development and production resources. This separation allows them to cleanly separate different types of resources and can also provide some security benefits.
Today we are making it easier for you to work productively within a multi-account (or multi-role) AWS environment by making it easy for you to switch roles within the AWS Management Console. You can now sign in to the console as an IAM user or via federated Single Sign-On and then switch the console to manage another account without having to enter (or remember) another user name and password.
Please note that this doesn't just work for the AWS Management Console, but also with the AWS Command Line Interface (AWS CLI), as greatly explored/explained in by Mitch Garnaat in Switching Roles in the AWS Management Console and AWSCLI.
Furthermore, Mitch has followed up with a dedicated new tool 'rolemodel' to help with setting things up pretty much like you outlined, which you might want to evaluate accordingly:
Rolemodel is a command line tool that helps you set up and maintain cross-account IAM roles for the purpose of using them in the new switch role capability of the AWS management console. These same cross-account roles can also be used with the AWSCLI as described here.