A Framework for Configuring Cross-Account Access in AWS
For the most part you probably keep most of your AWS infrastructure under the ownership of a single account. However there are situations where you may need to grant a resource or a user, in a different account, access to one or more of your resources. This might be because an external client or vendor needs direct access to your infrastructure or because your company has infrastructure deployed across different accounts. Indeed, AWS recommends using multiple accounts, as best practice for scaling your cloud environment. As it provides billing and security isolation, and allows flexibility.
Still, granting access cross account can be tricky. It certainly took me a while to grok the pattern I needed to follow, to consistently set up a trust relationship between AWS accounts.
In this article I’m going to explain a simple recipe that you can follow, to make sure you set up the correct permissions to allow cross account access to your AWS resources. The bulk of the example will be in CloudFormation, but the principle applies whether you use the AWS console directly or utilise Infrastructure as Code, using CloudFormation or Terraform.
Some Terminology
If you’re an AWS pro, you may want to skip this section. Otherwise, here’s a refresher on some key terms we’ll be…
