I am working for two separate employers, on a project with similar goals. Both use Amazon EC2 for their servers, and both gave me an account to access their instances, with different userid and password pair, is it possible to have these 2 accounts be a subset of another account? So i can switch easily from one account to another from that main account?
No, not unless you want the superset account to also assume billing responsibility for the sub-accounts. I'm pretty sure neither you nor either of your two employers would appreciate being billed for the composite EC2 usage of both...
From a working-practices viewpoint, however, you can configure ElasticFox with any number of different account configurations and switch between them at the click of a dropdown.
Related
I have two EC2 instances in a single AWS account. Both are running for different application services. Now, I want to make billing separate for that particular account. So, I can get the exact spent and charges for the applications and can manage my account as per that for separate accounting purposes.
Is it possible? If not, then can anyone suggest me a better way to achieve this?
I'm planning to handle the different AWS accounts for both services. But, it will be hard to manage so, I can't prefer that option.
For more, In Google Cloud, they're providing to handle different billing accounts within the same google cloud account. So, I think this concept might be available on AWS also.
Thanks in advance for any little bit of help or suggestion.
You can't get separate bills for different sets of resources within the same AWS account. However, you can filter out the costs for different sets of resources using tags. By using a distinct tag (or set of tags) in the resources you allocate to each application, you can get a breakdown of the cost for each application in billing reports and cost explorer. See the documentation for details and steps on how to set it up - https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/cost-alloc-tags.html
I believe it's the same with Google Cloud as well - although you can have multiple billing accounts within your google account (the hierarchy in GC is different to AWS, and an AWS account is more similar to a GC project than a GC account), a project within your account must have one billing account and does not support multiples.
By this -
Now, I want to make billing separate for that particular account.
do you mean you already have 2 different AWS accounts? If yes, you can get billing details as per account if they become part of same Organization. Check AWS Organizations docs for more info.
With Orgs, you can view bills of different accounts from one account itself if it is part of org. Also your accounts get discounts for services.
My employer is asking me what hours I want to use AWS VMs.
They don't want to grant me full corporate access, because in the past people have shut down mission critical instances by mistake.
I'd like the flexibility to start/stop my own instance and not be reliant on asking someone else to extend the hours on an adhoc basis, as I often work odd hours into the night if I am on a roll with something.
Other than the expense of a 24/7 use case, is there a more cost effective capability that I can point the gatekeeper too, that would allow this sort of flexibility?
At the moment, I'm pretty naive on the AWS front.. I just use the VMs I've been given to use.
BTW: I think there are issues about having them in certain domains - so I can't just have my own individual account.
Thanks in advance for your advice.
I think there are issues about having them in certain domains - so I can't just have my own individual account.
This is what AWS Organizations is for: you have your own account, but it's tied to the corporate account and can be granted access to perform certain functions.
You don't describe what you're creating these instances for, but I'm going to assume that it's development testing. In that case, you would work entirely within your own sandbox, and be unable to affect the mission-critical resources. If there's a need for explicit domain naming, they can delegate authority for a sub-domain, and if necessary use CNAMEs link hosts in that sub-domain to the parent domain.
If you need to do production support work, such as bringing up a new production machine, they can create a role that grants you permission to do so -- probably one that allows you to start machines but not stop them.
At the moment, I'm pretty naive on the AWS front
Unfortunately, it sounds like they are as well. I think the best thing you can do is point them at the Organizations doc.
I was thinking what if My AWS Account get deleted/inaccessible one fine day? (may sound weird). Have anyone implemented any solution for this? Can we have back from one AWS account to another AWS account?
There are several things you can do, one is to make sure you have at least two administrator accounts, one that you use, and one that you store away in a safe place and only use for emergencies.
The second is to setup a completely seperate AWS account as a 'backup', with its own set of credentials. You can grant cross-account access from your primary account, to your backup account but only allow the primary account to 'put' or backup objects to the backup account, so that even if your primary account is compromised, the attacker can't do harm to the second account from the primary account.
The actual process to backup your services on one account to another is going to vary depending on which services you are using, but the concept is the same - backup the data to s3 and then copy the data from s3 in your primary account to s3 in the backup account - and make sure the primary account only has enough access to the second account to 'put' things, not delete. Nobody in your company should have access to both of those sets of credentials (assuming your company is not tiny).
You don't want to be this company that was put out of business when there account was compromised:
https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/
Also, this video, from AWS Reinvent 2015 (starting around 50 minutes in), listen to how AirBNB protects against these issues in just this way:
https://www.youtube.com/watch?v=eHg8LD5KNC0
Finally After lot of reasearch and help from Skeddly, I found a solution for Linux machines.
Via Skeddly we can copy EBS snapshots to another AWS account hassle free.It works brilliant.Now even if my Primary AWS account is compromised, I have all EBS snapshots to start with by BCP AWS account for linux machines ;)
Now am hunting for windows machine solution for which I already got an idea... ;)
I would want to have different environments in AWS. At first I thought of differentiating environments by Tags, tags on AWS Resources. But then I cannot restrict users to change Tags of the machine. What that means is, if I allow them ec2:CreateTags, they can not only create tag, but also change tag of any of the resources, since cannot apply a condition on it - say for example if it belongs to a particular VPC or subnet. If I don't allow them the previlege to create tag, then they can launch an instance but their tags are not applied and hence any further operation on the instance is not permitted.
If I want to distinguish between environments by VPC-ID, then for operations such as ec2:StartInstance cannot apply a condition to allow the operation only in a specific VPC-ID, but can conditionally allow based on Resource Tag which for reasons in previous paragraph is not convincing.
On AWS documentation it mentions
One approach to maintaining this separation was discussed in the Working with AWS Access Credentials, that is, to use different accounts for development and production resources.
So it is possible to have one Paying Account for several other accounts which themselves are Paying Accounts? I still don't think multiple accounts for just different environments is a good idea.
How do you generally differentiate among environments for enforcing policies?
Thanks.
Different accounts is the way to go. There are so many places you'll want to create isolation that you'll make yourself crazy trying to do it within one account. Think about it - there's network controls, all the IAM permissions for all the services, access control lists, tags that have the limitations you describe, and on and on. Real isolation comes from putting things in different accounts for now.
The last thing you want is some weakness in your dev environment to pivot into your production environment - end of story. Consider also the productivity benefit of separating prod and dev accounts... you'll never break a prod system from a mistake or experiment in development.
Consolidated billing is the answer to paying for it all. Easy to setup and track. If you need more reporting, look into CloudAbility.
Where this gets really interesting is in the space of multiple production and multiple dev environments. There are a lot of opinions on isolation there. Some people combine all prod and dev into two accounts, and some put every prod and dev into their own. It all depends on your risk profile. Just don't end up like CloudSpaces.
It is possible to do consolidated billing, where one account is billed for its own usage + the AWS usage for any other linked account. However, you can not split that bill (e.g. have the master account only pay for EC2 services on a linked account, while having the linked account pay for it's other usage like S3, etc.).
As for differentiating between environments, I've used different security groups for each one (dev, staging, production) as an alternative to tags, but there are limitations when it comes to enforcing policies. The best option to have full policy control is to use different accounts.
I would suggest go with with one VPC and use Security Groups for isolation. As your AWS infra grows, you will need Directory Services (Name Servers, User Directory, VM Directory, Lookup services etc.). If you have two VPCs, sharing the Directory Services will not be easy. Also if you need Code Repository (e.g. GitHub) or Build tools (e.g. Jenkins) having three separate VPCs for DEV, Staging and Production will make things really complicated.
We host our clients' infrastructure. We are looking at AWS for some services. However, our business model is to provide the hosting included in our fee so to that end we need to be the account holder. We therefore need to have one account which is billed but clear delineation between different separate client infrastructure. Ideally with a separate console etc. Is this possible? Thanks.
You should take a look at consolidated billing, as it sounds like it will meet your needs:
http://docs.aws.amazon.com/awsaccountbilling/latest/about/consolidatedbilling.html
This would enable you to set up unique "linked accounts" per customer, each fully separate and independent of each other (separate console logins, separate security configurations, etc.).