AWS Organization and Cross-Account access
This Blog has moved from Medium to blogs.tensult.com. All the latest content will be available there. Subscribe to our newsletter to stay updated.
AWS Organizations is the administrative boundary offered by AWS across the accounts. The account where an AWS Organization is created is called the AWS master account. Other accounts are invited from a master account and upon adding to the organization they are called linked accounts. So an organization can have one master account and several linked accounts. A linked account cannot be part of multiple Organization. An Organization can be further divided into Organization Units (OU) which acts as the container for multiple AWS accounts, something like Production or Development. OUs can be attached with a set of policies called Service Control Policies(SCP) which can control the access of services residing in multiple accounts. Organizations help to have
· Consolidated billing for accounts
· Common IAM user database
· Policy-based control on Services
About setup
The IAM user Peter who should be given read-only access to all EC2 resources in the linked account. He does not have any other access to the services in the linked account. He will log in to master account and switch to the cross-account role to access the resource in the linked account.
Configuration steps
Before we actually configure the setup, let’s get familiar with some of the important terms.
Trusted account: Trusted accounts are the accounts where the IAM users are present. They are normally master AWS accounts and are assigned with very limited access to users by its administrator. Though this account is just like normal AWS accounts, it is used for consolidated billing, centralized logging, etc. In the document, I use the term master account or trusted account interchangeably.
Trusting account: Trusting accounts are the accounts where the resources are configured for the users to access. They have normally linked accounts. Normally users login to their master account and switch the role to this linked account. In the document, I use the term linked account, resource account or trusting account interchangeably.
Cross Account Roles: Roles with attached Policy is created in the linked account called cross-account roles and ARN of these roles are mapped to a role in the master account which in turn is attached to a user or a group. So the user who belongs to a required group in the master account, log in to the account and switch to a cross-account role of the linked account to access the resource in it.
The users, groups, roles, and policies have an arbitrary name and you can use your own naming conventions. Configuration involves following steps.
· Create AWS organization
· Create Role to Trusting account
· Create Assume role in Trusted account
· Testing the environment.
Creating Organization
Creating an organization is a simple process. First, you have to log in to the master account as administrator and Click ‘My Organization”. Under your account name in the AWS console. In The “AWS Organizations” window click “Invitations”, and then click on “Invite Account”. You can fill in the account ID of the linked account.
An email is sent to the linked account holder. Upon the confirmation from the linked account’s administrator, the account is attached to the Organization. This configuration is sufficient for the centralized billing, which may not reflect immediately in the master account’s billing console.
Create Role to Trusting account
Login to AWS console of trusting account (linked account) to Identity and Access Management(IAM) service.
In IAM console Select Roles in the left pane and click “Create Role”
Select “Another AWS Account”. Enter the account number of the master account in the Account ID column.
Click “Next Permissions”.
Attach the permissions policies page, select “AmazonEC2ReadOnlyAccess. Click “Next: Review”
Assign the role name as “LinkedAccountRoleForEC2” and Role Description and click “Create Role”.
Once role LinkedAccountRoleForEC2 is created, double click it from the list of roles to see the following information. Note the ARN and is used while you configure a trusted account.
Create IAM Roles in Trusted Account.
We make use of STS (Security Token Service) which creates and provides trusted users with temporary security credentials that can control access to your AWS resources.
It is assumed that the user Peter exists and he is a member of a group ForCrossAccountGroup-1. This is a basic user and group creation and steps are not included in this documentation.
Login to AWS console as administrator of trusted account (master account) to Identity and Access Management(IAM) service.
In the left pane select “Policies” and click “Create Policy”. Select the options below
Service: STS
Actions: AssumeRole
Resource: Specific
Click “Add ARN” against role which opens the following Window
Enter the ARN against “Specify ARN for role” which have noted in the trusting account. Click Add.
In the Review Policy page, Click “Create Policy”. I have used the name MasterAccountPolicyForEC2 for the policy.
Search for the policy MasterAccountPolicyForEC2 in the list of custom policies, select “Attached Entities” and Click “Attach”. Select the group “ForCrossAccountGroup-1 and Click “Attach Policy”.
Testing the environment
You can log in as Peter to the master account
Expand his account from the menu and click “Switch Role”
Now he has to enter linked account ( trusting account) Account number and the cross account role that you have created.
The next Window shows he has logged into the trusting account. Verify which service he has access in this account. He has only read access to EC2.
Conclusion:
We configured AWS Organization to perform a consolidated billing. As a result, the IAM user created in the master account can access the required resources in the linked account.
