I know i can create roles and switch between them and I've done a bit a research and it seems the answer is no but I just wanted to make sure.
So i was hoping that when a account joins my organisation, there would be some way for me to use my master account to login to the new OU, e.g. without me having to login and create new roles / users etc. Is this possible?
In order to access the new account from your existing “master” account, the new account that joins your org needs to have a role which allows cross-account access from your master account.
Its worth noting that many organizations automate the creation of accounts, and then use CloudFormation to configure the account (which you could use to create a cross account role for you to use to access the new account). You can learn more about this in the AWS tutorial here.
Related
Our AWS account has been hacked due to someone wrongly supplying an Administrator level access key.
We didn't have an Organisation set up, but the attackers created one. They have then created linked accounts within the organisation and created EC2 instances within them.
The problem I have is that I can't see any way to:
Delete the linked accounts (it says I need to add a payment method to the linked account)
View or terminate the EC2 instances on the other accounts
Can someone please tell me if it's possible to use my root login to access the EC2 instances on the linked accounts? This is costing us a lot of money in the last few hours unfortunately. I have a support case with AWS but they have mentioned that it could take 2-3 business days...
I have disabled users via IAM and made keys inactive.
Thank you in advance.
Based on the comments.
Since the OP already contacted the support, the one thing to do was to access the compromised accounts from the master account and disable the instances. The procedure to do it is explained in the AWS docs:
After I use AWS Organizations to create a member account, how do I access that account?
When you create a AWS account in an Organization you set up a roles that the organization account can use to assume access into that account. If you can see what role is used for these accounts use that role and and assume access into it and take down what you need.
To get the concept of it better you can try to create your own account with organization and assume that role.
This should work as long as the hacker haven't done anything to the role.
Here is docs on how to do this:
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html
Let's assume in current AWS organization we have 2 developers accounts. From what I found it is a good practice to create a separate AWS account per environment and give access to these resources.
My question is:
What is the best way to share access to the resources (e.g. EC2, EKS, EFS) for multiple developers? Now I see only these two options:
Create a separate AWS account for each developer and allow to access some resources by applying roles to that developers AWS accounts.
Within a root account of each AWS environment create a IAM user account for each developer and from that point manage permissions by policies and user groups.
Please let me know. I appreciate any type of help! :)
You should setup AWS SSO. Either integrated with your existing identity provider, or using the built in user system.
https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html
This will allow you to create permission sets. Then, you can assign permission sets to users in particular accounts. This will create a role in the account which the users can assume
I want to separate out AWS resources for a multi-tenanted SaaS into separate accounts under an AWS Organization.
I have multiple OUs, split by function, e.g. logs, audit, compute. I will have SCPs associated with each OU.
Each tenant will have an account under each OU, which means as I add new tenants, each account will inherit the respective SCP to that OU.
To enable the developers to build out the platform and to be able to debug the running system, I want to use a hub-and-spoke type approach to access control using a federated IdP, similar to that described here: https://segment.com/blog/secure-access-to-100-aws-accounts/.
Specifically, I will have an identity account that will be bound to Okta. Users will authenticate into this account and then use sts:assume-role to escalate to roles in other accounts. Note that I want a separate identity account and not have users authenticate to the master account in the organization (thus within the organization, we have master and identity accounts, plus the OUs each with their respective accounts).
In order to programmatically create a new tenant, I need to create the tenant's accounts and place them in the correct OU, and therefore this needs to be done in the master account. I can do this by creating a role within the master account and having developers assume that role from the identity account.
How do I create roles in the new accounts that developers can assume from the identity account? Member accounts have a role called OrganizationAccountAccessRole automatically created (see here for details), but that is set to only be accessible from the master account and it enables access to everything in that account. How can I enable a developer within the identity account to programmatically create new accounts and the roles within them without granting such all-powerful permissions (they should have no more permissions to perform this task than necessary). I don't think I can assume a role in the master account from the identity account and then further assume a role in a third account?
EDIT: I am really only interested in answers that address the steps/configuration needed to achieve the solution I describe.
Cloudformation StackSets addresses this problem.
Basically, the steps are:
Set up roles in the child accounts that have permissions to deploy resource with a trust relationship to the role of the parent account (which you're deploying from)
Create a StackSet in parent account and deploy a Cloudformation template into it to selected accounts or Organizational Units (OU) or whole organization
StackSets supports AWS Organizations so you can select OU's instead of selecting individual accounts.
I would put forward that an elegant solution is to use the AWS Service Catalog product which allows you to create and manage catalogs of services that are approved for use in your AWS environment. As a matter of fact, the setup described in this AWS blog post can be customized to achieve what you want. It provides an example for creating an Account Builder product that when launched by your end users, uses an AWS Lambda script to:
Provision an AWS member account
Assume the Organizational Role for the account
Use a CloudFormation template to customize the account (in your case, to create the additional IAM roles)
You can customize it further to even delete the Organizational Role account when it's done.
Source code for the Lambda function along with the CloudFormation templates is provided that you can tweak to produce the exact behavior you are looking for.
Hope this helps.
I am using below services of aws and for that their are IAM users exists and now i want to delete all IAM users and want to create new users and want to apply that users to the services.
And i want to replace old users from services and want to add new created users to the services. So how i achieve this?
Services:
1) s3
2) ses
3) cloudfront
4) lambda (for forwarding ses emails)
And i have one more question, If we copy the old users permission to the new one. So will it impact any service?
Basically, I want to remove old users and create new users with same old users policies.
Answers:
First Question:
Simple answer on how to go about doing this is as below:
1. Replace on one account at a time.
2. You check the existing user accounts' Permissions and Groups tabs in IAM
3. Make note of all access, groups and roles the old accounts have assigned
4. Create the new user accounts with same permissions
5. Test the access works same with new accounts as it was working with old accounts
Second Question: If we copy the old users permission to the new one. So will it impact any service?
Answer:
You should not have major impact if the users are console users only. But if there are users that have programmatic access, then you might have be extra careful. These accounts could be used by developers or services on AWS or elsewhere. You might have to go through the IAM user in detail to see if any of these users have their purpose and places of use documented. So, is they are service accounts or used to carry out automated actions, then you must thoroughly test that account's usage and then delete the old account.
I share an organization with other members but we are not able to see each other's instances. Is it possible to view and create other member's instances within one organization?
When you create an AWS organization you are not given access to other accounts in the organization automatically. To gain access to resources in another account you create a role in the other account and then "Switch Role" to assume the permissions of that role.
Let's say that you login to account nicknamed "Development". You want to access EC2 instances in the "Production" account. Once you have created a role in the Production account that you can assume, then at the top right of the Amazon Management Console click on your username / account number. A menu appears, then select "Switch Role". If you have previously done this, the previous role will be remembered, otherwise you enter the account number and role name for "Production".
This sounds complicated, but once you do this, it will appear simple and logical. Just remember that when you switch roles, you are temporarily giving up access to one account to obtain access to another account. Your "identity" basically switches. Sort of like the Linux command "su" to switch login identities.
Here is a link to help walk you thru setting up cross account access.
Tutorial: Delegate Access Across AWS Accounts Using IAM Roles
Cloudformation stack for creating cross-account roles
Easing the Creation of Cross-Account Roles for Customers
AWS Organizations are primarily used for consolidated billing. You can apply SCPs to child accounts. You cannot view resources of one account from other account. You can access them using Cross Account IAM roles.
Please read the service description at https://aws.amazon.com/organizations/