CSAP Multiple Accounts

  Certified Solutions Architect Professional

Main Menu

Menu

  • Multi-Account Strategy for Enterprises
  • Identity Account Architecture
  • Creating Cross-Account IAM Roles
  • Document – Cross Account IAM Policy Document

Multi-Account Strategy for Enterprises

https://www.udemy.com/aws-certified-solutions-architect-professional/learn/v4/t/lecture/13249212?start=40

Pros

  • Provides the highest amount of resources
  • Provides maximum security isolation

Alternative Options

  • Break depts. down by region
  • Cons:
    • All share same IAM policies.  Mistakes could grant someone in the wrong dept access.

Cons – Must consider the following

  • Identity Account Architecture
    • Users that require multiple account access
      • Difficult to manage adding the user to each account and track that information.
      • Can be managed with Cross Account IAM and Federations.
  • Logging Account Architecture
    • Account logging should be stored in a centralized location
      • CloudTrail
      • Config
      • VPC Flow Logs
    • Use Splunk to analyze these logs
  • Publishing Account Structure
    • Different teams with different account access will launch different, non-security hardened AMIs
    • Need to ensure all teams and accounts use only images that have been approved by the Security Team.
      • Secure AMIs can be shared with all accounts
        • Accomplished using the Service Catalog
      • IAM rules can be setup such that users can only launch these AMIs
  • Billing Structure
    • Combine all bills into a single invoice?

Identity Account Architecture

https://www.udemy.com/aws-certified-solutions-architect-professional/learn/v4/t/lecture/13249220?start=0

Single Account Management

  • Create a username and password
  • Access and Secret Keys
  • If a user leaves, remove their access to the account.

Multiple Accounts

  • Users require access to multiple accounts
    • each account has unique set of keys
    • difficult to manage
      • user leaves, must be deactivated in all accounts
  • Use Identity Account
    • Create the username, password and keys in this account
    • Establish a trust relationship between this and the other accounts
    • Can log into the Identity account then switch to the other required accounts

The Architecture

  • Create the user in Account A (Identity Account)
    • Do not provide permissions in the Identity Account!
  • Create a Cross-Account role in Account B
  • Allow user to switch to Account B role.

Process Flow (Overview)

  • Sign into the Identity Account
  • Use a ‘Sign In Link’ to access the alternate account
    • They will be given access to various roles
  • User will have full access to any services the role they assume has access to.

Creating Cross-Account IAM Roles

https://www.udemy.com/aws-certified-solutions-architect-professional/learn/v4/t/lecture/8546164?start=0

Overview

  • Create a user in Account A (Identity Account)
  • Create a Cross-Account role in Account B (“Production” Account)
  • Allow User to switch to Account B role using a specific link for that role.

Process

It is recommended to access each account from different browsers to be able to log into both at the same time.

  • Create the User
    • Log into Identity Account
    • Note the AWS Account Number
    • IAM > Users > Create User ‘Bob’
      • Must have AWS Console access
  • Create the Cross Account Role
    • Log into ‘Production’ Account > IAM > Roles
    • [ Create role ]
      • Trusted entity: ‘Another AWS Account’
        • Enter the account ID
      • Permissions > Select desired permissions > [ Next: Review ]
      • Review
        • Role name: CA-myNewRole (CA = Cross Account)
        • [ Create role ]
    • Back on the Roles page, click the name of the role you just created
      • Summary
        • Locate the role’s ARN and save it.
        • Locate the link to the role and save it.
        • If you click the “Trust relationships” tab, you’ll see the JSON showing:
          • Principal: the trusted account’s number
          • Action: the roles they have access to.
  • Allow User to switch to Account B role using a specific link for that role
    • Return to the Identity Account > IAM > Users > Select User
    • [ Add permissions ]
    • JSON
    • Paste in template for cross account roles
      • Replace “Resource” with the ARN saved previously
      • [ Review policy ]
    • Review Policy
      • Name: Use the same name used to create the role the user will be accessing.
      • [ Save ] (actual button blocked in video)
  • Test
    • Log into the Identity Account with new user’s credentials
    • Once logged in, use the link saved previously for the second account.
      • This MUST be done from the same browser
    • User will see the “Switch Role” login screen > [ Switch role ]
    • Can now switch back and forth between available accounts!

 

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": "sts:AssumeRole",
    "Resource": "arn:aws:iam::PRODUCTION-ACCOUNT-ID:role/UpdateApp"
  }
}

LEAVE A COMMENT