AWS Orgnizations provides you with an efficient way to better manage and organize your AWS accounts. You can create sub-accounts under your root account and invite existing AWS accounts to join your organization. Joining an organization account enables Consolidated Billing and better Access Management through Switch Role functionality.
Here’s what you can do with AWS Organizations:
For this, you have to:
Though not compulsory, it’s recommended to create users only under the Root Account. By granting AssumeRole permissions to the users, you can allow them to assume certain roles in the child accounts.
#/.aws/config:
[profile developer.development]
role_arn = arn:aws:iam::[Child-Account-ID]:role/[roleName]
source_profile = [account-profile]
In this example we would like to create accounts with the following structure and grant users the correct permissions to each account.
AWS Accounts:
While creating child accounts, AWS will by default create role named as OrganizationAccountAccessRole. This role created in the Child Account, will allow trusted entity being Root Account an AdministratorAccess to the Child Account. Meanwhile from the Root Account we can restrict who of our users is allowed to AssumeRole in the Child Account.
Trusted Entities of OrganizationAccountAccessRole:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[AWS-Root-Account-ID]:root"
},
"Action": "sts:AssumeRole"
}
]
}
Following the same Analogy, we can create several roles in the Child Account with different permissions to the Resources in the child account. Then we can control which users from the Root Accountcan AssumeRole for which Role in the Child Account, defining User’s Cross-Account Resource permissions.
Groups:
Allow Developers to assume “Developer” role in any of the Children Accounts. Add the following policy to the “Developers” group:
Developer Group Policy
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::*:role/Developer"
}
}
[profile developer.it-test-aws] role_arn = arn:aws:iam::257040594755:role/Developer source_profile = sac
Do the same for DevOps, Testers or any other groups.
DevOps Group Policy
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::*:role/DevOps"
}
}
Tester Group Policy
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::*:role/Tester"
}
}
Marketing Group Policy
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::*:role/Marketing"
}
}
At this stage, user of the Root Account can assume a role in the Child Account, using the “AssumeRole” permission granted in the policy above.
Now it’s time to create these roles and grant permissions by assigning Policies to them. Each Child account in the current example will have the following roles:
Each of these roles will have the following Trusted Entities, based on what Root Account users can AssumeRole from the Child Account:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[AWS-Root-Account-ID]:root"
},
"Action": "sts:AssumeRole",
}
]
}
In order to access Child Account using the CLI, we need to configure a new profile for the AWS CLI where we would specify the assumed role and the source account credentials from the root account.
# ~/.aws/config
[profile root-account-profile]
region = eu-west-1
output = json
[profile developer.child-account-1]
role_arn = arn:aws:iam::[Child-Account-Id]:role/Developer
source_profile = root-account-profile
# ~/.aws/credentials
[root-account-profile]
aws_access_key_id = [ROOT-Account-Key-Id]
aws_secret_access_key = [ROOT-Account-Secret-Key]
Publish Date: 2019-11-24