{"id":1636,"date":"2019-01-24T10:29:08","date_gmt":"2019-01-24T10:29:08","guid":{"rendered":"http:\/\/wiki.thomasandsofia.com\/?p=1636"},"modified":"2019-01-24T23:58:01","modified_gmt":"2019-01-24T23:58:01","slug":"csap2-multiple-accounts","status":"publish","type":"post","link":"https:\/\/wiki.thomasandsofia.com\/?p=1636","title":{"rendered":"CSAP Multiple Accounts"},"content":{"rendered":"<p><a href=\"http:\/\/wiki.thomasandsofia.com\/2018\/08\/20\/aws-certified-solutions-architect-professional-overview\/\" target=\"_blank\" rel=\"noopener\">Main Menu<\/a><\/p>\n<h1>Menu<\/h1>\n<ul>\n<li>Multi-Account Strategy for Enterprises<\/li>\n<li>Identity Account Architecture<\/li>\n<li>Creating Cross-Account IAM Roles<\/li>\n<li>Document &#8211; Cross Account IAM Policy Document<\/li>\n<\/ul>\n<h1>Multi-Account Strategy for Enterprises<\/h1>\n<p><a href=\"https:\/\/www.udemy.com\/aws-certified-solutions-architect-professional\/learn\/v4\/t\/lecture\/13249212?start=40\" target=\"_blank\" rel=\"noopener\">https:\/\/www.udemy.com\/aws-certified-solutions-architect-professional\/learn\/v4\/t\/lecture\/13249212?start=40<\/a><\/p>\n<p>Pros<\/p>\n<ul>\n<li>Provides the highest amount of resources<\/li>\n<li>Provides maximum security isolation<\/li>\n<\/ul>\n<p>Alternative Options<\/p>\n<ul>\n<li>Break depts. down by region<\/li>\n<li>Cons:\n<ul>\n<li>All share same IAM policies.\u00a0 Mistakes could grant someone in the wrong dept access.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>Cons &#8211; Must consider the following<\/p>\n<ul>\n<li>Identity Account Architecture\n<ul>\n<li>Users that require multiple account access\n<ul>\n<li>Difficult to manage adding the user to each account and track that information.<\/li>\n<li>Can be managed with Cross Account IAM and Federations.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Logging Account Architecture\n<ul>\n<li>Account logging should be stored in a centralized location\n<ul>\n<li>CloudTrail<\/li>\n<li>Config<\/li>\n<li>VPC Flow Logs<\/li>\n<\/ul>\n<\/li>\n<li>Use Splunk to analyze these logs<\/li>\n<\/ul>\n<\/li>\n<li>Publishing Account Structure\n<ul>\n<li>Different teams with different account access will launch different, non-security hardened AMIs<\/li>\n<li>Need to ensure all teams and accounts use only images that have been approved by the Security Team.\n<ul>\n<li>Secure AMIs can be shared with all accounts\n<ul>\n<li>Accomplished using the Service Catalog<\/li>\n<\/ul>\n<\/li>\n<li>IAM rules can be setup such that users can only launch these AMIs<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Billing Structure\n<ul>\n<li>Combine all bills into a single invoice?<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h1>Identity Account Architecture<\/h1>\n<p><a href=\"https:\/\/www.udemy.com\/aws-certified-solutions-architect-professional\/learn\/v4\/t\/lecture\/13249220?start=0\" target=\"_blank\" rel=\"noopener\">https:\/\/www.udemy.com\/aws-certified-solutions-architect-professional\/learn\/v4\/t\/lecture\/13249220?start=0<\/a><\/p>\n<p>Single Account Management<\/p>\n<ul>\n<li>Create a username and password<\/li>\n<li>Access and Secret Keys<\/li>\n<li>If a user leaves, remove their access to the account.<\/li>\n<\/ul>\n<p>Multiple Accounts<\/p>\n<ul>\n<li>Users require access to multiple accounts\n<ul>\n<li>each account has unique set of keys<\/li>\n<li>difficult to manage\n<ul>\n<li>user leaves, must be deactivated in all accounts<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Use Identity Account\n<ul>\n<li>Create the username, password and keys in this account<\/li>\n<li>Establish a trust relationship between this and the other accounts<\/li>\n<li>Can log into the Identity account then switch to the other required accounts<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>The Architecture<\/p>\n<ul>\n<li>Create the user in Account A (Identity Account)\n<ul>\n<li>Do not provide permissions in the Identity Account!<\/li>\n<\/ul>\n<\/li>\n<li>Create a Cross-Account role in Account B<\/li>\n<li>Allow user to switch to Account B role.<\/li>\n<\/ul>\n<p>Process Flow (Overview)<\/p>\n<ul>\n<li>Sign into the Identity Account<\/li>\n<li>Use a &#8216;Sign In Link&#8217; to access the alternate account\n<ul>\n<li>They will be given access to various roles<\/li>\n<\/ul>\n<\/li>\n<li>User will have full access to any services the role they assume has access to.<\/li>\n<\/ul>\n<h1>Creating Cross-Account IAM Roles<\/h1>\n<p><a href=\"https:\/\/www.udemy.com\/aws-certified-solutions-architect-professional\/learn\/v4\/t\/lecture\/8546164?start=0\" target=\"_blank\" rel=\"noopener\">https:\/\/www.udemy.com\/aws-certified-solutions-architect-professional\/learn\/v4\/t\/lecture\/8546164?start=0<\/a><\/p>\n<h2>Overview<\/h2>\n<ul>\n<li>Create a user in Account A (Identity Account)<\/li>\n<li>Create a Cross-Account role in Account B (&#8220;Production&#8221; Account)<\/li>\n<li>Allow User to switch to Account B role using a specific link for that role.<\/li>\n<\/ul>\n<h2>Process<\/h2>\n<p>It is recommended to access each account from different browsers to be able to log into both at the same time.<\/p>\n<ul>\n<li>Create the User\n<ul>\n<li>Log into Identity Account<\/li>\n<li>Note the AWS Account Number<\/li>\n<li>IAM &gt; Users &gt; Create User &#8216;Bob&#8217;\n<ul>\n<li>Must have AWS Console access<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Create the Cross Account Role\n<ul>\n<li>Log into &#8216;Production&#8217; Account &gt; IAM &gt; Roles<\/li>\n<li>[ Create role ]\n<ul>\n<li>Trusted entity: &#8216;Another AWS Account&#8217;\n<ul>\n<li>Enter the account ID<\/li>\n<\/ul>\n<\/li>\n<li>Permissions &gt; Select desired permissions &gt; [ Next: Review ]<\/li>\n<li>Review\n<ul>\n<li>Role name: CA-myNewRole (CA = Cross Account)<\/li>\n<li>[ Create role ]<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Back on the Roles page, click the name of the role you just created\n<ul>\n<li>Summary\n<ul>\n<li>Locate the role&#8217;s ARN and save it.<\/li>\n<li>Locate the link to the role and save it.<\/li>\n<li>If you click the &#8220;Trust relationships&#8221; tab, you&#8217;ll see the JSON showing:\n<ul>\n<li>Principal: the trusted account&#8217;s number<\/li>\n<li>Action: the roles they have access to.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Allow User to switch to Account B role using a specific link for that role\n<ul>\n<li>Return to the Identity Account &gt; IAM &gt; Users &gt; Select User<\/li>\n<li>[ Add permissions ]<\/li>\n<li>JSON<\/li>\n<li>Paste in template for cross account roles\n<ul>\n<li>Replace &#8220;Resource&#8221; with the ARN saved previously<\/li>\n<li>[ Review policy ]<\/li>\n<\/ul>\n<\/li>\n<li>Review Policy\n<ul>\n<li>Name: Use the same name used to create the role the user will be accessing.<\/li>\n<li>[ Save ] (actual button blocked in video)<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Test\n<ul>\n<li>Log into the Identity Account with new user&#8217;s credentials<\/li>\n<li>Once logged in, use the link saved previously for the second account.\n<ul>\n<li>This MUST be done from the same browser<\/li>\n<\/ul>\n<\/li>\n<li>User will see the &#8220;Switch Role&#8221; login screen &gt; [ Switch role ]<\/li>\n<li>Can now switch back and forth between available accounts!<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<pre>{\r\n  \"Version\": \"2012-10-17\",\r\n  \"Statement\": {\r\n    \"Effect\": \"Allow\",\r\n    \"Action\": \"sts:AssumeRole\",\r\n    \"Resource\": \"arn:aws:iam::PRODUCTION-ACCOUNT-ID:role\/UpdateApp\"\r\n  }\r\n}\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Main Menu Menu Multi-Account Strategy for Enterprises Identity Account Architecture Creating Cross-Account IAM Roles Document &#8211; Cross Account IAM Policy Document Multi-Account Strategy for Enterprises https:\/\/www.udemy.com\/aws-certified-solutions-architect-professional\/learn\/v4\/t\/lecture\/13249212?start=40 Pros Provides the highest amount of resources Provides maximum security isolation Alternative Options Break depts. down by region Cons: All share same IAM policies.\u00a0 Mistakes could grant someone in ..<\/p>\n<div class=\"clear-fix\"><\/div>\n<p><a href=\"https:\/\/wiki.thomasandsofia.com\/?p=1636\" title=\"read more...\">Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[38],"tags":[],"class_list":["post-1636","post","type-post","status-publish","format-standard","hentry","category-certified-solutions-architect-professional"],"_links":{"self":[{"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=\/wp\/v2\/posts\/1636","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1636"}],"version-history":[{"count":7,"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=\/wp\/v2\/posts\/1636\/revisions"}],"predecessor-version":[{"id":1644,"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=\/wp\/v2\/posts\/1636\/revisions\/1644"}],"wp:attachment":[{"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1636"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1636"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1636"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}