I have a question.
I would like to manage multiple accounts and users using an AWS API (SDK).
So is it possible to use AWS Organization in order to manage account and get access to a list of users ?
I mean i put AWS Organization connect to AWS SSO to manage multiple accounts, so can i manage accounts and users through the AWS SDK or i have to add another components ?
Any AWS SDK's Organization client will let you List, Add, Remove(Check condition to remove any account form org), Move to different OU under the same Org, etc.
But in order to list all users under a linked account, you have to use the IAM client of that account.
1- Create a role(with admin permission) let say XRole in all linked accounts and with the trust policy for the master account.
2- From Master account assume the role( XRole ) of linked account and manage/list your account's users using IAM Client.
Related
I am looking to provide a separate sandbox environment for my users. A concept similar to GCP Projects. Requirements are:
Each user should have only access to his own resources.
User should not be able to see the resources of other users.
Users should be able to create overlapping resources e.g user1 can create a VPC with 10.1.0.0/16 and user2 should be able to create the VPC with 10.1.0.0/16.
If there are any other options besides IAM, I am happy to opt.
To achieve these goals, you should provision a separate AWS Account for each user.
Each Account can be linked back to a master account using AWS Organizations.
I can see the instance from my linked account in billing console. but I can't find where is that instance. is it possible to access linked account's instance from root account in AWS.
Unfortunately this is not supported functionality within AWS according the documentation.
You can only switch roles when you sign in as an IAM user. You cannot switch roles if you sign in as the AWS account root user.
You will need to create an AWS IAM user with the permissions of "Sts:AssumeRole" for the other account you would like to connect to.
I'd suggest, if you're managing multiple accounts, move to AWS Organization.
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html
When you create an account in your organization, in addition to the root user, AWS Organizations automatically creates an IAM role that is by default named OrganizationAccountAccessRole.
That way it'll be a lot easier for you to manage your billing account and member accounts (as well as visibility on the organization level)
I want to separate out AWS resources for a multi-tenanted SaaS into separate accounts under an AWS Organization.
I have multiple OUs, split by function, e.g. logs, audit, compute. I will have SCPs associated with each OU.
Each tenant will have an account under each OU, which means as I add new tenants, each account will inherit the respective SCP to that OU.
To enable the developers to build out the platform and to be able to debug the running system, I want to use a hub-and-spoke type approach to access control using a federated IdP, similar to that described here: https://segment.com/blog/secure-access-to-100-aws-accounts/.
Specifically, I will have an identity account that will be bound to Okta. Users will authenticate into this account and then use sts:assume-role to escalate to roles in other accounts. Note that I want a separate identity account and not have users authenticate to the master account in the organization (thus within the organization, we have master and identity accounts, plus the OUs each with their respective accounts).
In order to programmatically create a new tenant, I need to create the tenant's accounts and place them in the correct OU, and therefore this needs to be done in the master account. I can do this by creating a role within the master account and having developers assume that role from the identity account.
How do I create roles in the new accounts that developers can assume from the identity account? Member accounts have a role called OrganizationAccountAccessRole automatically created (see here for details), but that is set to only be accessible from the master account and it enables access to everything in that account. How can I enable a developer within the identity account to programmatically create new accounts and the roles within them without granting such all-powerful permissions (they should have no more permissions to perform this task than necessary). I don't think I can assume a role in the master account from the identity account and then further assume a role in a third account?
EDIT: I am really only interested in answers that address the steps/configuration needed to achieve the solution I describe.
Cloudformation StackSets addresses this problem.
Basically, the steps are:
Set up roles in the child accounts that have permissions to deploy resource with a trust relationship to the role of the parent account (which you're deploying from)
Create a StackSet in parent account and deploy a Cloudformation template into it to selected accounts or Organizational Units (OU) or whole organization
StackSets supports AWS Organizations so you can select OU's instead of selecting individual accounts.
I would put forward that an elegant solution is to use the AWS Service Catalog product which allows you to create and manage catalogs of services that are approved for use in your AWS environment. As a matter of fact, the setup described in this AWS blog post can be customized to achieve what you want. It provides an example for creating an Account Builder product that when launched by your end users, uses an AWS Lambda script to:
Provision an AWS member account
Assume the Organizational Role for the account
Use a CloudFormation template to customize the account (in your case, to create the additional IAM roles)
You can customize it further to even delete the Organizational Role account when it's done.
Source code for the Lambda function along with the CloudFormation templates is provided that you can tweak to produce the exact behavior you are looking for.
Hope this helps.
I would like to write a policy for a new IAM user so that he can have a full access to AWS Services such as EC2, RDS, Cloud Front, S3, etc. However he should be only able to view (describe) and manage the instances/services that he launches. He can't see other existing/future instances/services created by other users.
This case happens in a company that wants to outsource some projects to an outsourced company. So the new IAM user is for giving access to the outsourced company to setup the staging & production environments in AWS that belongs to the company. How can I achieve this?
Thanks.
Best Regards,
Mark
AFAICT there are no conditions on creator.
One obvious alternative is having a separated dependent and linked account with consolidated billing. You can find some detail in the third scenario of this paper
https://media.amazonwebservices.com/AWS_Setting_Up_Multiuser_Environments_Education.pdf
[...] an administrator creates separate AWS accounts for each user who
needs a new AWS account. These accounts can optionally be linked
together and a single AWS account can be designated as the paying
account using consolidated billing, which provides a single bill for
multiple AWS accounts. The administrator then creates an IAM user in
each AWS account and applies an access control policy to each user.
Users are given access to the IAM user within their AWS account, but
do not have access to the root credentials of the AWS account.
Users can log into the AWS Management Console with their IAM
credentials and then they can launch and access different AWS
services, subject to the access control policies applied to their
account. Users have direct control over the access credentials for
their resources and they can also share these resources with other
users as necessary.
I have a parent IAM account and I have multiple clients. I want to have multiple child account in AWS. I dont want the child account to see the resources in parent account and other child account.
How can I implement this?
Thanks
You can create multiple AWS accounts, and link them. You will have to do this with the master account root credentials, not an IAM account.
Full details are here:
Update, Q1 2017:
AWS has introduced Organizations, which lets you create a new account linked to your payer account. Organizations is also supported by the AWS CLI, so you can create new accounts programmatically, without needing the root credentials.
You can assume roles with temporary credentials to grant access between accounts, see http://docs.aws.amazon.com/IAM/latest/UserGuide/WorkingWithRoles.html