2. AGENDA
AWS IAM - Recap
AWS Cross Account Access
AWS Organizations
Service Control Policies
Demo – 1
Cross Account Role Switching
Demo – 2 – Role Switching
AWS Resource Access Manager (RAM)
3. AWS IAM CREDENTIALS
AWS IAM offers three types of credentials
1. User name and Password (Long Term Access, Used in AWS Console)
2. Access Keys (Long Term Access, Used by CLI / APIs)
3. Security Token Service (STS) – (Short Term Access, Used by IAM Roles)
4. AWS IAM POLICIES
AWS IAM offers two types of IAM Policies
1. Identity / User based Policies (IAM Policies)
2. Resource based Policies
In Identity / User based policies, there are two types
1. AWS Managed User Policies (For base level permissions)
2. In-line User Policies (For customized permissions)
5. AWS IAM IDENTITIES
In AWS, there are three IAM identities
1. IAM Users
2. IAM Groups
3. IAM Roles
Each of these identities can be associated with one or more policies to determine what
actions a user, group or a role can so with AWS resources.
6. AWS IAM USERS AND GROUPS
In each AWS account, there is a ROOT user
The ROOT account is the super administrator with Full Access to the account
Under the ROOT account, you can create many user accounts.
It is recommended to create a separate Admin account with an Admin Role to manage your
account rather using ROOT account, since it can be a anti-pattern
Groups can contain many IAM users and users can be in many IAM groups
Both managed and in-line user policies can be added to IAM groups
7. AWS IAM ROLES
Every IAM Role has two properties
1. Trust Policy
2. Permission Policy
Trust Policy: This defines which identity
can assume the Role
Permission Policy: This gives the
permission to access AWS resources.
10. AWS ORGANIZATIONS
AWS Organizations helps you centrally govern your environment as you grow and scale your
workloads on AWS.
Whether you are a growing startup or a large enterprise, Organizations helps you to centrally
manage billing, control access, compliance, and security; and share resources across your
AWS accounts.
It helps you to manage multiple AWS accounts within a single business.
Rather than managing many accounts, with many isolated set of logins, and individual bills,
this allows you to have a more consolidated setup with a better governance.
12. AWS ORGANIZATIONS
Master Account:
When you create an AWS Organization under the ROOT account, you basically create the
Master Account. Master Account cannot be restricted. The consolidated billing, centralized
logging are happening here.
Member Account:
These are basically AWS accounts which are created under the ROOT account, which is not a
Master Account.
Organizational Unit (OU):
These are groups which you can create and assign AWS accounts to any of them. These are
useful, when you want to assign certain Service Control Policies (SCPs) to all the attached
account under the OU.
Service Control Policies (SCP):
Defines the maximum permissions for account users and roles.
13. SERVICE CONTROL POLICIES
Service Control Policies (SCPs) are a type of organization policy that you can use to manage
permissions in your organization
SCPs offer central control over the maximum available permissions for all accounts in your
organization
Once a Member Account is created a default Role is created, which is called as
OrganizationAccountAccessRole
This role will basically has “FullAdminAccess” (by default) and Trust relationship to the
Master Account (See Permissions and Trust relationships for the above role)
If you are to change the “FullAdminAccess” policy for the Member Account, you need to
select the particular Member account and change the Service policy by Member account
level
However, it is not possible to change “FullAdminAccess” policy for a Master Account. Only
possible for Member Accounts and their Organizational Units
14. DEMO - 1
Create an AWS Organization (If your account does not have one already). This will create a
Master AWS Account for you.
Create an Member AWS Account (DEMO) within your AWS Organization
Do a Role Switch (OrganizationAccountAccessRole) to the Account you have created
within your AWS organization
15. ROLE SWITCHING
Role Switching is a method of accessing one account from another using only one set of
credentials
Role Switching is possible between
●
AWS Accounts (Cross Account Switching)
●
AWS Organizations
P.Note: You need to sign in as a IAM user (Not a ROOT account) if you are to switch roles.
17. DEMO - 2
Create an IAM Role (MemberReadOnlyAccess) trusting the Master Account in the Member
Account (DEMO) with (ReadOnlyAccess + Restrict the Access to user demo1)
Create a S3 bucket in the Member Account
Switch back to the Master Account and create an IAM user named demo1
Create a ReadOnly IAM Group and add demo1 user to it.
Now add following policies to the created IAM Group
1. ReadOnlyAccess (AWS Managed Policy)
2. sts:AssumeRole (In-Line Policy)
Now sign in using demo1 user
Try to switch to the Member Account using the MemberReadOnlyAccess Role. You should be
able to switch. Go to S3 and see created S3 bucket is visible.
18. RESOURCE ACCESS MANAGER (RAM)
Owner Account retains the full
ownership
Owner Account creates a share
If participant is inside the AWS
organization, sharing enabled
automatically
Use the concept of “Shared
Services VPC”
Shared Services VPC is the one
which provides infrastructure, which
can be consumed by other VPCs
Member Accounts can see the
Shared VPC components, but unable
to do any network level modifications
19. REFERENCES
How to use Service Control Policies:
https://aws.amazon.com/blogs/security/how-to-use-service-control-policies-in-aws-organ
izations/
AWS Resource Access Manager (RAM):
https://aws.amazon.com/ram/