I do not understand VPC sharing concept.
So I have my root account and under this account I've created two accounts:
- myVPCShare1
- myVPCShare2
Both account have full administrator rights.
VPC sharing documentation says that it allows to share vpc's between accounts.
So I've created VPC (shareVPC) with subnet (sharedSubnet) using myVPCShare1 account and I switched to myVPCShare2 and I see both shareVPC sharedSubnet without doing VPC sharing.
Moreover, using myVPCShare1 I've created EC2 instance and I also can see this instance when I switch to myVPCShare2.
So my question is:
Can someone explain me the purpose/usage of VPC sharing ?
Here'e the basis of your misunderstanding:
So I have my root account and under this account I've created two accounts
No, you haven't. You've created two users in the same AWS account.
Those two users, the root user, and any other users of yours are all owned by the same AWS account, and thus see all the account's resources (such as the EC2 instance described above) as long as they have permission to do so.
VPC Sharing applies across account boundaries -- not within the same account.
Related
I have created a GCP project with multiple VPC say vpc-a, vpc-b, vpc-c.
I have created two service accounts - svc-acct-a and svc-acct-b
Requirement:
On execution of gcloud compute networks list
svc-acct-a should list only vpc-a
svc-acct-b should list vpc-a, vpc-b and vpc-c
What is the best way to achieve this? Please describe in details with the required commands or UI configurations.
I couldn't find a way to assign IAM roles at a VPC level.
You can't add permission at the VPC level but only at the subnet level. In addition, IAM Condition doesn't support VPC or Subnet resource types and it can't be an option.
Finally, the list method, if the account (service or user) has access to this API, the API content won't be filter according to the permission (valid for all the API call, not specifically for VPC/subnets): the full list will be returned.
I am looking to provide a separate sandbox environment for my users. A concept similar to GCP Projects. Requirements are:
Each user should have only access to his own resources.
User should not be able to see the resources of other users.
Users should be able to create overlapping resources e.g user1 can create a VPC with 10.1.0.0/16 and user2 should be able to create the VPC with 10.1.0.0/16.
If there are any other options besides IAM, I am happy to opt.
To achieve these goals, you should provision a separate AWS Account for each user.
Each Account can be linked back to a master account using AWS Organizations.
If I have 2 VPCs set up for 2 different teams on a single project in GCP and want to give the IAM users the access to one single VPC and the resources in that VPC only, how to I do that in Google cloud platform? what IAM roles has to be assigned to these users?
You can't achieve this easily and out of the box. The VPC is a resource, you can restrict access on this resource. VM (on this VPC) are also resources, and the permissions provided on the VPC aren't inherited to the resource that use this VPC.
You can to use a new feature, named asset relationship that provide you the relation between the assets. Like that you could get the asset (resources) in relation with your VPC and enforce the same restriction on all these resources. But you need to code this, it's not out of the box, and the feature still in preview.
This question may seem noobish, but I am pulling my hair out with our AWS organization. We have 3 separate root accounts connected in a single organization with IAM accounts and policies. We can only see instances from the default root account in the EC2 list (yes I am looking in the correct region). We have shared full account access across all of the others accounts and accepted the invitations. Our billing works perfectly, and funnels from our main root account (and I can see billing of the other separate accounts fine). Even our highest level of admin (literally a grant permission to everything) cannot see instances launched from one of the separate root accounts.
Our goal is our admin group should see EC2 instances from all 3 root accounts in the organization without switching accounts or credentials.
I know this has to be possible, but I have spent at least 2 hours and have not gotten far. Any suggestions on how to achieve this?
There are some terminology issues here. There are no root accounts or main root accounts in AWS Organizations. There is one management AWS account and there are zero or more member AWS accounts.
The term root refers to an AWS Organizations construct within the management account that is the parent container for all of the member accounts in your organization. See AWS Organizations Terminology and Concepts for more.
There are two ways to 'join' a member account to an organization:
an admin in the management account creates a new member account
an admin in the management account invites an existing account to become a member
If you use option #1, administrative control over the member account is automatically provided for you through an auto-created IAM role called OrganizationAccountAccessRole that you can use to grant users in the management account administrator access to the created member account.
If you use option #2, you do not automatically have full administrator control over the member account. If you want the management account to have full administrative control over an invited member account, you must create the OrganizationAccountAccessRole IAM role in the member account and grant permission to the management account to assume the role. To configure this, after the invited account becomes a member, follow the steps in Creating the OrganizationAccountAccessRole in an Invited Member Account.
#jarmod's answer provides a good overview of the terminology. I don't think it addresses your visibility problem.
Your assumptions appears to be that the master account of the organization should be able to directly see all resources of all accounts within the organization in its AWS console or via the API. That's not correct.
The resources in the accounts are generally still separated (allthough some things can be shared, but that's another matter), but you can change into these accounts by assuming a role in the accounts and then you're able to see the resources - this is what #jarmod is describing. After you changed into the accounts, you'll be able to see all resources within that respective account.
To learn more about organizations and their capabilities, here are some helpful links:
Documentation on Managing Access Permissions for Your AWS Organization
Services that can be used in conjunction with organizations
Resources within an AWS Account logically belong to that account and not to its organization.
For easing billing I want to use a different AWS account for each cost center. But we want all the services to run inside the same VPC. This is both because different services may need to communicate with each other and there are a limited number of hardware VPN connections available. So the question is how can you make your VPC available to other AWS accounts that you own so they can launch instances inside of it?
The infrastructure team has an AWS Account A. The VPC is present on this account and is billed to the infrastructure team for the NAT instance and the VPN gateway.
The team on a project has an account B. The instances need to be launched and billed to this account.
I've been reading the resources here: http://docs.aws.amazon.com/IAM/latest/UserGuide/delegation-cross-acct-access.html . It seems as if I can use AssumeRole as Account B to grant access across accounts, but then as far as I can tell my identity changes to the Account A (The owner field had the number for Account A). Resource-based policies seem like what I'm thinking but they are not supported for VPCs.
I'm assuming there has to be some way to do this. Otherwise it doesn't make any sense to have an owner field with an AWS account number for EC2 instances and other resources.
If you enable programmatic access to your bills, you can select the tags you want included. This allows you to produce the report you're looking for.
As of June 2013 Amazon has confirmed that it is not possible to share a VPC with another account.: https://forums.aws.amazon.com/thread.jspa?messageID=462834&tstart=0#