SlideShare una empresa de Scribd logo

1BT_Tech_Talk_AWS_Cross_Account_Access

Crishantha Nanayakkara
Crishantha Nanayakkara

AWS Cross Account Access

Software
1 de 20
Descargar para leer sin conexión
COPYRIGHT – 1 BILLION TECH | CONFIDENTIAL AWSCROSSACCOUNTACCESS TECH TALK 15 OCT 2020
AGENDA  AWS IAM - Recap  AWS Cross Account Access  AWS Organizations  Service Control Policies  Demo – 1  Cross Account Role Switching  Demo – 2 – Role Switching  AWS Resource Access Manager (RAM)
AWS IAM CREDENTIALS  AWS IAM offers three types of credentials 1. User name and Password (Long Term Access, Used in AWS Console) 2. Access Keys (Long Term Access, Used by CLI / APIs) 3. Security Token Service (STS) – (Short Term Access, Used by IAM Roles)
AWS IAM POLICIES  AWS IAM offers two types of IAM Policies 1. Identity / User based Policies (IAM Policies) 2. Resource based Policies  In Identity / User based policies, there are two types 1. AWS Managed User Policies (For base level permissions) 2. In-line User Policies (For customized permissions)
AWS IAM IDENTITIES  In AWS, there are three IAM identities 1. IAM Users 2. IAM Groups 3. IAM Roles  Each of these identities can be associated with one or more policies to determine what actions a user, group or a role can so with AWS resources.
AWS IAM USERS AND GROUPS  In each AWS account, there is a ROOT user  The ROOT account is the super administrator with Full Access to the account  Under the ROOT account, you can create many user accounts.  It is recommended to create a separate Admin account with an Admin Role to manage your account rather using ROOT account, since it can be a anti-pattern  Groups can contain many IAM users and users can be in many IAM groups  Both managed and in-line user policies can be added to IAM groups
AWS IAM ROLES  Every IAM Role has two properties 1. Trust Policy 2. Permission Policy  Trust Policy: This defines which identity can assume the Role  Permission Policy: This gives the permission to access AWS resources.
TRUST POLICYVS PERMISSION POLICY
AWS CROSS ACCOUNTACCESS
AWS ORGANIZATIONS  AWS Organizations helps you centrally govern your environment as you grow and scale your workloads on AWS.  Whether you are a growing startup or a large enterprise, Organizations helps you to centrally manage billing, control access, compliance, and security; and share resources across your AWS accounts.  It helps you to manage multiple AWS accounts within a single business.  Rather than managing many accounts, with many isolated set of logins, and individual bills, this allows you to have a more consolidated setup with a better governance.
AWS ORGANIZATIONS
AWS ORGANIZATIONS  Master Account: When you create an AWS Organization under the ROOT account, you basically create the Master Account. Master Account cannot be restricted. The consolidated billing, centralized logging are happening here.  Member Account: These are basically AWS accounts which are created under the ROOT account, which is not a Master Account.  Organizational Unit (OU): These are groups which you can create and assign AWS accounts to any of them. These are useful, when you want to assign certain Service Control Policies (SCPs) to all the attached account under the OU.  Service Control Policies (SCP): Defines the maximum permissions for account users and roles.
SERVICE CONTROL POLICIES  Service Control Policies (SCPs) are a type of organization policy that you can use to manage permissions in your organization  SCPs offer central control over the maximum available permissions for all accounts in your organization  Once a Member Account is created a default Role is created, which is called as OrganizationAccountAccessRole  This role will basically has “FullAdminAccess” (by default) and Trust relationship to the Master Account (See Permissions and Trust relationships for the above role)  If you are to change the “FullAdminAccess” policy for the Member Account, you need to select the particular Member account and change the Service policy by Member account level  However, it is not possible to change “FullAdminAccess” policy for a Master Account. Only possible for Member Accounts and their Organizational Units
DEMO - 1  Create an AWS Organization (If your account does not have one already). This will create a Master AWS Account for you.  Create an Member AWS Account (DEMO) within your AWS Organization  Do a Role Switch (OrganizationAccountAccessRole) to the Account you have created within your AWS organization
ROLE SWITCHING  Role Switching is a method of accessing one account from another using only one set of credentials  Role Switching is possible between ● AWS Accounts (Cross Account Switching) ● AWS Organizations  P.Note: You need to sign in as a IAM user (Not a ROOT account) if you are to switch roles.
DEMO - 2
DEMO - 2  Create an IAM Role (MemberReadOnlyAccess) trusting the Master Account in the Member Account (DEMO) with (ReadOnlyAccess + Restrict the Access to user demo1)  Create a S3 bucket in the Member Account  Switch back to the Master Account and create an IAM user named demo1  Create a ReadOnly IAM Group and add demo1 user to it.  Now add following policies to the created IAM Group 1. ReadOnlyAccess (AWS Managed Policy) 2. sts:AssumeRole (In-Line Policy)  Now sign in using demo1 user  Try to switch to the Member Account using the MemberReadOnlyAccess Role. You should be able to switch. Go to S3 and see created S3 bucket is visible.
RESOURCE ACCESS MANAGER (RAM)  Owner Account retains the full ownership  Owner Account creates a share  If participant is inside the AWS organization, sharing enabled automatically  Use the concept of “Shared Services VPC”  Shared Services VPC is the one which provides infrastructure, which can be consumed by other VPCs  Member Accounts can see the Shared VPC components, but unable to do any network level modifications
REFERENCES  How to use Service Control Policies: https://aws.amazon.com/blogs/security/how-to-use-service-control-policies-in-aws-organ izations/  AWS Resource Access Manager (RAM): https://aws.amazon.com/ram/
Let's work together EMAIL contact@1billiontech.com MOBILE +94 117 112191 FACEBOOK 1billiontechnology

Recomendados

Iam presentation
Iam presentationIam presentation
Iam presentationAWS UG PK
 
AWS Organizations & Service Control Policy
AWS Organizations & Service Control PolicyAWS Organizations & Service Control Policy
AWS Organizations & Service Control PolicyBhuvaneswari Subramani
 
Aws IAM
Aws IAMAws IAM
Aws IAMChamali Liyanage
 
Identity access management (iam)
Identity access management (iam)Identity access management (iam)
Identity access management (iam)Parag Patil
 
AWS IAM -- Notes of 20130403 Doc Version
AWS IAM -- Notes of 20130403 Doc VersionAWS IAM -- Notes of 20130403 Doc Version
AWS IAM -- Notes of 20130403 Doc VersionErnest Chiang
 
Introduction to AWS IAM
Introduction to AWS IAMIntroduction to AWS IAM
Introduction to AWS IAMKnoldus Inc.
 
AWS Atlanta Meetup - June 19 - AWS organizations - Account Structure
AWS Atlanta Meetup - June 19 - AWS organizations - Account StructureAWS Atlanta Meetup - June 19 - AWS organizations - Account Structure
AWS Atlanta Meetup - June 19 - AWS organizations - Account StructureAdam Book
 
AWS Partner Webcast - Get Closer to the Cloud with Federated Single Sign-On
AWS Partner Webcast - Get Closer to the Cloud with Federated Single Sign-OnAWS Partner Webcast - Get Closer to the Cloud with Federated Single Sign-On
AWS Partner Webcast - Get Closer to the Cloud with Federated Single Sign-OnAmazon Web Services
 

Recomendados

Iam presentation
Iam presentationIam presentation
Iam presentationAWS UG PK
 
AWS Organizations & Service Control Policy
AWS Organizations & Service Control PolicyAWS Organizations & Service Control Policy
AWS Organizations & Service Control PolicyBhuvaneswari Subramani
 
Aws IAM
Aws IAMAws IAM
Aws IAMChamali Liyanage
 
Identity access management (iam)
Identity access management (iam)Identity access management (iam)
Identity access management (iam)Parag Patil
 
AWS IAM -- Notes of 20130403 Doc Version
AWS IAM -- Notes of 20130403 Doc VersionAWS IAM -- Notes of 20130403 Doc Version
AWS IAM -- Notes of 20130403 Doc VersionErnest Chiang
 
Introduction to AWS IAM
Introduction to AWS IAMIntroduction to AWS IAM
Introduction to AWS IAMKnoldus Inc.
 
AWS Atlanta Meetup - June 19 - AWS organizations - Account Structure
AWS Atlanta Meetup - June 19 - AWS organizations - Account StructureAWS Atlanta Meetup - June 19 - AWS organizations - Account Structure
AWS Atlanta Meetup - June 19 - AWS organizations - Account StructureAdam Book
 
AWS Partner Webcast - Get Closer to the Cloud with Federated Single Sign-On
AWS Partner Webcast - Get Closer to the Cloud with Federated Single Sign-OnAWS Partner Webcast - Get Closer to the Cloud with Federated Single Sign-On
AWS Partner Webcast - Get Closer to the Cloud with Federated Single Sign-OnAmazon Web Services
 
Features of AWS - IAM
Features of AWS - IAMFeatures of AWS - IAM
Features of AWS - IAMManuj Aggarwal
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
 
AWS deployment and management Services
AWS deployment and management ServicesAWS deployment and management Services
AWS deployment and management ServicesNagesh Ramamoorthy
 
How to use IAM roles grant access to AWS
How to use IAM roles grant access to AWSHow to use IAM roles grant access to AWS
How to use IAM roles grant access to AWSAmazon Web Services
 
Policy Ninja
Policy NinjaPolicy Ninja
Policy NinjaAmazon Web Services
 
Maximize your investment with AWS Native Security Controls
Maximize your investment with AWS Native Security ControlsMaximize your investment with AWS Native Security Controls
Maximize your investment with AWS Native Security ControlsRasool Irfan
 
IAM Introduction and Best Practices
IAM Introduction and Best PracticesIAM Introduction and Best Practices
IAM Introduction and Best PracticesAmazon Web Services
 
Deep dive into AWS IAM
Deep dive into AWS IAMDeep dive into AWS IAM
Deep dive into AWS IAMAmazon Web Services
 
AWS IAM Introduction
AWS IAM IntroductionAWS IAM Introduction
AWS IAM IntroductionAmazon Web Services
 
Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)Amazon Web Services
 
Best Practices for Managing Security Operations in AWS - March 2017 AWS Onlin...
Best Practices for Managing Security Operations in AWS - March 2017 AWS Onlin...Best Practices for Managing Security Operations in AWS - March 2017 AWS Onlin...
Best Practices for Managing Security Operations in AWS - March 2017 AWS Onlin...Amazon Web Services
 
Aws
AwsAws
AwsMegha Sahu
 
AWS IAM and security
AWS IAM and securityAWS IAM and security
AWS IAM and securityErik Paulsson
 
AWS Windsor User Group - June 7th 2018 - Amazon Web Services IAM
AWS Windsor User Group - June 7th 2018 - Amazon Web Services IAMAWS Windsor User Group - June 7th 2018 - Amazon Web Services IAM
AWS Windsor User Group - June 7th 2018 - Amazon Web Services IAMBrandon Wells
 
AWS Users Authentication
AWS Users AuthenticationAWS Users Authentication
AWS Users Authenticationchandrasen Reddy
 
Aws auditing security_checklist
Aws auditing security_checklistAws auditing security_checklist
Aws auditing security_checklistsaifam
 
Top 15 aws security interview questions
Top 15 aws security interview questionsTop 15 aws security interview questions
Top 15 aws security interview questionsShivamSharma909
 
IAM Best Practices
IAM Best PracticesIAM Best Practices
IAM Best PracticesAmazon Web Services
 
Federation
Federation Federation
Federation Amazon Web Services
 
Introduction to IAM + Best Practices
Introduction to IAM + Best PracticesIntroduction to IAM + Best Practices
Introduction to IAM + Best PracticesAmazon Web Services
 
AWS Identity and access management for users
AWS Identity and access management for usersAWS Identity and access management for users
AWS Identity and access management for usersStephenEfange3
 
AWS core services
AWS core servicesAWS core services
AWS core servicesNagesh Ramamoorthy
 

Más contenido relacionado

La actualidad más candente

Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
 
AWS deployment and management Services
AWS deployment and management ServicesAWS deployment and management Services
AWS deployment and management ServicesNagesh Ramamoorthy
 
How to use IAM roles grant access to AWS
How to use IAM roles grant access to AWSHow to use IAM roles grant access to AWS
How to use IAM roles grant access to AWSAmazon Web Services
 
Maximize your investment with AWS Native Security Controls
Maximize your investment with AWS Native Security ControlsMaximize your investment with AWS Native Security Controls
Maximize your investment with AWS Native Security ControlsRasool Irfan
 
IAM Introduction and Best Practices
IAM Introduction and Best PracticesIAM Introduction and Best Practices
IAM Introduction and Best PracticesAmazon Web Services
 
Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)Amazon Web Services
 
Best Practices for Managing Security Operations in AWS - March 2017 AWS Onlin...
Best Practices for Managing Security Operations in AWS - March 2017 AWS Onlin...Best Practices for Managing Security Operations in AWS - March 2017 AWS Onlin...
Best Practices for Managing Security Operations in AWS - March 2017 AWS Onlin...Amazon Web Services
 
AWS IAM and security
AWS IAM and securityAWS IAM and security
AWS IAM and securityErik Paulsson
 
AWS Windsor User Group - June 7th 2018 - Amazon Web Services IAM
AWS Windsor User Group - June 7th 2018 - Amazon Web Services IAMAWS Windsor User Group - June 7th 2018 - Amazon Web Services IAM
AWS Windsor User Group - June 7th 2018 - Amazon Web Services IAMBrandon Wells
 
Aws auditing security_checklist
Aws auditing security_checklistAws auditing security_checklist
Aws auditing security_checklistsaifam
 
Top 15 aws security interview questions
Top 15 aws security interview questionsTop 15 aws security interview questions
Top 15 aws security interview questionsShivamSharma909
 
Introduction to IAM + Best Practices
Introduction to IAM + Best PracticesIntroduction to IAM + Best Practices
Introduction to IAM + Best PracticesAmazon Web Services
 

La actualidad más candente (20)

Features of AWS - IAM
Features of AWS - IAMFeatures of AWS - IAM
Features of AWS - IAM
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
 
AWS deployment and management Services
AWS deployment and management ServicesAWS deployment and management Services
AWS deployment and management Services
 
How to use IAM roles grant access to AWS
How to use IAM roles grant access to AWSHow to use IAM roles grant access to AWS
How to use IAM roles grant access to AWS
 
Policy Ninja
Policy NinjaPolicy Ninja
Policy Ninja
 
Maximize your investment with AWS Native Security Controls
Maximize your investment with AWS Native Security ControlsMaximize your investment with AWS Native Security Controls
Maximize your investment with AWS Native Security Controls
 
IAM Introduction and Best Practices
IAM Introduction and Best PracticesIAM Introduction and Best Practices
IAM Introduction and Best Practices
 
Deep dive into AWS IAM
Deep dive into AWS IAMDeep dive into AWS IAM
Deep dive into AWS IAM
 
AWS IAM Introduction
AWS IAM IntroductionAWS IAM Introduction
AWS IAM Introduction
 
Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)
 
Best Practices for Managing Security Operations in AWS - March 2017 AWS Onlin...
Best Practices for Managing Security Operations in AWS - March 2017 AWS Onlin...Best Practices for Managing Security Operations in AWS - March 2017 AWS Onlin...
Best Practices for Managing Security Operations in AWS - March 2017 AWS Onlin...
 
Aws
AwsAws
Aws
 
AWS IAM and security
AWS IAM and securityAWS IAM and security
AWS IAM and security
 
AWS Windsor User Group - June 7th 2018 - Amazon Web Services IAM
AWS Windsor User Group - June 7th 2018 - Amazon Web Services IAMAWS Windsor User Group - June 7th 2018 - Amazon Web Services IAM
AWS Windsor User Group - June 7th 2018 - Amazon Web Services IAM
 
AWS Users Authentication
AWS Users AuthenticationAWS Users Authentication
AWS Users Authentication
 
Aws auditing security_checklist
Aws auditing security_checklistAws auditing security_checklist
Aws auditing security_checklist
 
Top 15 aws security interview questions
Top 15 aws security interview questionsTop 15 aws security interview questions
Top 15 aws security interview questions
 
IAM Best Practices
IAM Best PracticesIAM Best Practices
IAM Best Practices
 
Federation
Federation Federation
Federation
 
Introduction to IAM + Best Practices
Introduction to IAM + Best PracticesIntroduction to IAM + Best Practices
Introduction to IAM + Best Practices
 

Similar a 1BT_Tech_Talk_AWS_Cross_Account_Access

AWS Identity and access management for users
AWS Identity and access management for usersAWS Identity and access management for users
AWS Identity and access management for usersStephenEfange3
 
AWS Identity and access Managment
AWS Identity and access ManagmentAWS Identity and access Managment
AWS Identity and access ManagmentMahesh Raj
 
AWS re:Invent 2016: NEW SERVICE: Centrally Manage Multiple AWS Accounts with ...
AWS re:Invent 2016: NEW SERVICE: Centrally Manage Multiple AWS Accounts with ...AWS re:Invent 2016: NEW SERVICE: Centrally Manage Multiple AWS Accounts with ...
AWS re:Invent 2016: NEW SERVICE: Centrally Manage Multiple AWS Accounts with ...Amazon Web Services
 
AWS Cloud organizations presentation
AWS Cloud organizations presentationAWS Cloud organizations presentation
AWS Cloud organizations presentationTATA LILIAN SHULIKA
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
 
Using AWS Organizations to Ensure Compliance in Your Cloud
Using AWS Organizations to Ensure Compliance in Your CloudUsing AWS Organizations to Ensure Compliance in Your Cloud
Using AWS Organizations to Ensure Compliance in Your CloudAmazon Web Services
 
Controlling Access to your Resources
Controlling Access to your ResourcesControlling Access to your Resources
Controlling Access to your ResourcesAmazon Web Services
 
Mastering Identity at Every Layer of the Cake (SEC401-R1) - AWS re:Invent 2018
Mastering Identity at Every Layer of the Cake (SEC401-R1) - AWS re:Invent 2018Mastering Identity at Every Layer of the Cake (SEC401-R1) - AWS re:Invent 2018
Mastering Identity at Every Layer of the Cake (SEC401-R1) - AWS re:Invent 2018Amazon Web Services
 
How You Can Use AWS Identity Services to Be Successful on Your AWS Cloud Journey
How You Can Use AWS Identity Services to Be Successful on Your AWS Cloud JourneyHow You Can Use AWS Identity Services to Be Successful on Your AWS Cloud Journey
How You Can Use AWS Identity Services to Be Successful on Your AWS Cloud JourneyAmazon Web Services
 
Best Practices for getting Started on AWS
Best Practices for getting Started on AWSBest Practices for getting Started on AWS
Best Practices for getting Started on AWSAmazon Web Services
 
AWS identity services: Enabling and securing your cloud journey - SEC203 - Ne...
AWS identity services: Enabling and securing your cloud journey - SEC203 - Ne...AWS identity services: Enabling and securing your cloud journey - SEC203 - Ne...
AWS identity services: Enabling and securing your cloud journey - SEC203 - Ne...Amazon Web Services
 
Windsor AWS UG Deep Dive - AWS Organizations
Windsor AWS UG Deep Dive - AWS OrganizationsWindsor AWS UG Deep Dive - AWS Organizations
Windsor AWS UG Deep Dive - AWS OrganizationsGoran Karmisevic
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
 
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...Amazon Web Services
 

Similar a 1BT_Tech_Talk_AWS_Cross_Account_Access (20)

AWS Identity and access management for users
AWS Identity and access management for usersAWS Identity and access management for users
AWS Identity and access management for users
 
AWS core services
AWS core servicesAWS core services
AWS core services
 
AWS Identity and access Managment
AWS Identity and access ManagmentAWS Identity and access Managment
AWS Identity and access Managment
 
AWS re:Invent 2016: NEW SERVICE: Centrally Manage Multiple AWS Accounts with ...
AWS re:Invent 2016: NEW SERVICE: Centrally Manage Multiple AWS Accounts with ...AWS re:Invent 2016: NEW SERVICE: Centrally Manage Multiple AWS Accounts with ...
AWS re:Invent 2016: NEW SERVICE: Centrally Manage Multiple AWS Accounts with ...
 
AWS Cloud organizations presentation
AWS Cloud organizations presentationAWS Cloud organizations presentation
AWS Cloud organizations presentation
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
 
AWSM2C3.pptx
AWSM2C3.pptxAWSM2C3.pptx
AWSM2C3.pptx
 
Using AWS Organizations to Ensure Compliance in Your Cloud
Using AWS Organizations to Ensure Compliance in Your CloudUsing AWS Organizations to Ensure Compliance in Your Cloud
Using AWS Organizations to Ensure Compliance in Your Cloud
 
Controlling Access to your Resources
Controlling Access to your ResourcesControlling Access to your Resources
Controlling Access to your Resources
 
Mastering Identity at Every Layer of the Cake (SEC401-R1) - AWS re:Invent 2018
Mastering Identity at Every Layer of the Cake (SEC401-R1) - AWS re:Invent 2018Mastering Identity at Every Layer of the Cake (SEC401-R1) - AWS re:Invent 2018
Mastering Identity at Every Layer of the Cake (SEC401-R1) - AWS re:Invent 2018
 
How You Can Use AWS Identity Services to Be Successful on Your AWS Cloud Journey
How You Can Use AWS Identity Services to Be Successful on Your AWS Cloud JourneyHow You Can Use AWS Identity Services to Be Successful on Your AWS Cloud Journey
How You Can Use AWS Identity Services to Be Successful on Your AWS Cloud Journey
 
Getting Started with AWS
Getting Started with AWSGetting Started with AWS
Getting Started with AWS
 
Demystifying identity on AWS
Demystifying identity on AWSDemystifying identity on AWS
Demystifying identity on AWS
 
Best Practices for getting Started on AWS
Best Practices for getting Started on AWSBest Practices for getting Started on AWS
Best Practices for getting Started on AWS
 
AWS identity services: Enabling and securing your cloud journey - SEC203 - Ne...
AWS identity services: Enabling and securing your cloud journey - SEC203 - Ne...AWS identity services: Enabling and securing your cloud journey - SEC203 - Ne...
AWS identity services: Enabling and securing your cloud journey - SEC203 - Ne...
 
Windsor AWS UG Deep Dive - AWS Organizations
Windsor AWS UG Deep Dive - AWS OrganizationsWindsor AWS UG Deep Dive - AWS Organizations
Windsor AWS UG Deep Dive - AWS Organizations
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
 
Aws security-pillar
Aws security-pillarAws security-pillar
Aws security-pillar
 
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...
 
IAM Introduction
IAM IntroductionIAM Introduction
IAM Introduction
 

Más de Crishantha Nanayakkara

Sri Lanka Government Enterprise Architecture
Sri Lanka Government Enterprise ArchitectureSri Lanka Government Enterprise Architecture
Sri Lanka Government Enterprise ArchitectureCrishantha Nanayakkara
 
Enterprise Integration in Cloud Native Microservices Architectures
Enterprise Integration in Cloud Native Microservices ArchitecturesEnterprise Integration in Cloud Native Microservices Architectures
Enterprise Integration in Cloud Native Microservices ArchitecturesCrishantha Nanayakkara
 
Towards Cloud Enabled Data Intensive Digital Transformation
Towards Cloud Enabled Data Intensive Digital TransformationTowards Cloud Enabled Data Intensive Digital Transformation
Towards Cloud Enabled Data Intensive Digital TransformationCrishantha Nanayakkara
 
Domain Driven Design and Hexagonal Architecture
Domain Driven Design and Hexagonal ArchitectureDomain Driven Design and Hexagonal Architecture
Domain Driven Design and Hexagonal ArchitectureCrishantha Nanayakkara
 
Enterprise architecture in the current e-Government context in Sri Lanka
Enterprise architecture in the current e-Government context in Sri LankaEnterprise architecture in the current e-Government context in Sri Lanka
Enterprise architecture in the current e-Government context in Sri LankaCrishantha Nanayakkara
 
Lanka Gate Core Components - Government CIO Workshop Dec 2013
Lanka Gate Core Components - Government CIO Workshop Dec 2013Lanka Gate Core Components - Government CIO Workshop Dec 2013
Lanka Gate Core Components - Government CIO Workshop Dec 2013Crishantha Nanayakkara
 

Más de Crishantha Nanayakkara (20)

Sri Lanka Government Enterprise Architecture
Sri Lanka Government Enterprise ArchitectureSri Lanka Government Enterprise Architecture
Sri Lanka Government Enterprise Architecture
 
Application Deployement Strategies
Application Deployement StrategiesApplication Deployement Strategies
Application Deployement Strategies
 
Azure for AWS Developers
Azure for AWS DevelopersAzure for AWS Developers
Azure for AWS Developers
 
Enterprise Integration in Cloud Native Microservices Architectures
Enterprise Integration in Cloud Native Microservices ArchitecturesEnterprise Integration in Cloud Native Microservices Architectures
Enterprise Integration in Cloud Native Microservices Architectures
 
AWS Systems Manager
AWS Systems ManagerAWS Systems Manager
AWS Systems Manager
 
AWS Big Data Landscape
AWS Big Data LandscapeAWS Big Data Landscape
AWS Big Data Landscape
 
1BT_Designing_Microservices
1BT_Designing_Microservices1BT_Designing_Microservices
1BT_Designing_Microservices
 
AWS Security Hub
AWS Security HubAWS Security Hub
AWS Security Hub
 
Resiilient Architectures on AWS
Resiilient Architectures on AWSResiilient Architectures on AWS
Resiilient Architectures on AWS
 
Reactive Microservices
Reactive MicroservicesReactive Microservices
Reactive Microservices
 
Expectaions in IT industry
Expectaions in IT industryExpectaions in IT industry
Expectaions in IT industry
 
Towards Cloud Enabled Data Intensive Digital Transformation
Towards Cloud Enabled Data Intensive Digital TransformationTowards Cloud Enabled Data Intensive Digital Transformation
Towards Cloud Enabled Data Intensive Digital Transformation
 
Container Architecture
Container ArchitectureContainer Architecture
Container Architecture
 
Domain Driven Design and Hexagonal Architecture
Domain Driven Design and Hexagonal ArchitectureDomain Driven Design and Hexagonal Architecture
Domain Driven Design and Hexagonal Architecture
 
Microservices
MicroservicesMicroservices
Microservices
 
Enterprise architecture in the current e-Government context in Sri Lanka
Enterprise architecture in the current e-Government context in Sri LankaEnterprise architecture in the current e-Government context in Sri Lanka
Enterprise architecture in the current e-Government context in Sri Lanka
 
Modern Trends in IT
Modern Trends in ITModern Trends in IT
Modern Trends in IT
 
ICTA Meetup 12 - Message Brokers
ICTA Meetup 12 - Message BrokersICTA Meetup 12 - Message Brokers
ICTA Meetup 12 - Message Brokers
 
ICTA Meetup 11 - Big Data
ICTA Meetup 11 - Big DataICTA Meetup 11 - Big Data
ICTA Meetup 11 - Big Data
 
Lanka Gate Core Components - Government CIO Workshop Dec 2013
Lanka Gate Core Components - Government CIO Workshop Dec 2013Lanka Gate Core Components - Government CIO Workshop Dec 2013
Lanka Gate Core Components - Government CIO Workshop Dec 2013
 

Último

A healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfA healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfMarharyta Nedzelska
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsSafe Software
 
Innovate and Collaborate- Harnessing the Power of Open Source Software.pdf
Innovate and Collaborate- Harnessing the Power of Open Source Software.pdfInnovate and Collaborate- Harnessing the Power of Open Source Software.pdf
Innovate and Collaborate- Harnessing the Power of Open Source Software.pdfYashikaSharma391629
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureDinusha Kumarasiri
 
VK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web DevelopmentVK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web Developmentvyaparkranti
 
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)jennyeacort
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...Technogeeks
 
How to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationHow to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationBradBedford3
 
Introduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfIntroduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfFerryKemperman
 
Machine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringMachine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringHironori Washizaki
 
PREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentationPREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentationvaddepallysandeep122
 
Xen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfXen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfStefano Stabellini
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanyChristoph Pohl
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaHanief Utama
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtimeandrehoraa
 
How To Manage Restaurant Staff -BTRESTRO
How To Manage Restaurant Staff -BTRESTROHow To Manage Restaurant Staff -BTRESTRO
How To Manage Restaurant Staff -BTRESTROmotivationalword821
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...OnePlan Solutions
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based projectAnoyGreter
 
Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Mater
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Andreas Granig
 

Último (20)

A healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfA healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdf
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data Streams
 
Innovate and Collaborate- Harnessing the Power of Open Source Software.pdf
Innovate and Collaborate- Harnessing the Power of Open Source Software.pdfInnovate and Collaborate- Harnessing the Power of Open Source Software.pdf
Innovate and Collaborate- Harnessing the Power of Open Source Software.pdf
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with Azure
 
VK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web DevelopmentVK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web Development
 
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...
 
How to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationHow to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion Application
 
Introduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfIntroduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdf
 
Machine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringMachine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their Engineering
 
PREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentationPREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentation
 
Xen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfXen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdf
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief Utama
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtime
 
How To Manage Restaurant Staff -BTRESTRO
How To Manage Restaurant Staff -BTRESTROHow To Manage Restaurant Staff -BTRESTRO
How To Manage Restaurant Staff -BTRESTRO
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based project
 
Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024
 

1BT_Tech_Talk_AWS_Cross_Account_Access

  • 1. COPYRIGHT – 1 BILLION TECH | CONFIDENTIAL AWSCROSSACCOUNTACCESS TECH TALK 15 OCT 2020
  • 2. AGENDA  AWS IAM - Recap  AWS Cross Account Access  AWS Organizations  Service Control Policies  Demo – 1  Cross Account Role Switching  Demo – 2 – Role Switching  AWS Resource Access Manager (RAM)
  • 3. AWS IAM CREDENTIALS  AWS IAM offers three types of credentials 1. User name and Password (Long Term Access, Used in AWS Console) 2. Access Keys (Long Term Access, Used by CLI / APIs) 3. Security Token Service (STS) – (Short Term Access, Used by IAM Roles)
  • 4. AWS IAM POLICIES  AWS IAM offers two types of IAM Policies 1. Identity / User based Policies (IAM Policies) 2. Resource based Policies  In Identity / User based policies, there are two types 1. AWS Managed User Policies (For base level permissions) 2. In-line User Policies (For customized permissions)
  • 5. AWS IAM IDENTITIES  In AWS, there are three IAM identities 1. IAM Users 2. IAM Groups 3. IAM Roles  Each of these identities can be associated with one or more policies to determine what actions a user, group or a role can so with AWS resources.
  • 6. AWS IAM USERS AND GROUPS  In each AWS account, there is a ROOT user  The ROOT account is the super administrator with Full Access to the account  Under the ROOT account, you can create many user accounts.  It is recommended to create a separate Admin account with an Admin Role to manage your account rather using ROOT account, since it can be a anti-pattern  Groups can contain many IAM users and users can be in many IAM groups  Both managed and in-line user policies can be added to IAM groups
  • 7. AWS IAM ROLES  Every IAM Role has two properties 1. Trust Policy 2. Permission Policy  Trust Policy: This defines which identity can assume the Role  Permission Policy: This gives the permission to access AWS resources.
  • 10. AWS ORGANIZATIONS  AWS Organizations helps you centrally govern your environment as you grow and scale your workloads on AWS.  Whether you are a growing startup or a large enterprise, Organizations helps you to centrally manage billing, control access, compliance, and security; and share resources across your AWS accounts.  It helps you to manage multiple AWS accounts within a single business.  Rather than managing many accounts, with many isolated set of logins, and individual bills, this allows you to have a more consolidated setup with a better governance.
  • 12. AWS ORGANIZATIONS  Master Account: When you create an AWS Organization under the ROOT account, you basically create the Master Account. Master Account cannot be restricted. The consolidated billing, centralized logging are happening here.  Member Account: These are basically AWS accounts which are created under the ROOT account, which is not a Master Account.  Organizational Unit (OU): These are groups which you can create and assign AWS accounts to any of them. These are useful, when you want to assign certain Service Control Policies (SCPs) to all the attached account under the OU.  Service Control Policies (SCP): Defines the maximum permissions for account users and roles.
  • 13. SERVICE CONTROL POLICIES  Service Control Policies (SCPs) are a type of organization policy that you can use to manage permissions in your organization  SCPs offer central control over the maximum available permissions for all accounts in your organization  Once a Member Account is created a default Role is created, which is called as OrganizationAccountAccessRole  This role will basically has “FullAdminAccess” (by default) and Trust relationship to the Master Account (See Permissions and Trust relationships for the above role)  If you are to change the “FullAdminAccess” policy for the Member Account, you need to select the particular Member account and change the Service policy by Member account level  However, it is not possible to change “FullAdminAccess” policy for a Master Account. Only possible for Member Accounts and their Organizational Units
  • 14. DEMO - 1  Create an AWS Organization (If your account does not have one already). This will create a Master AWS Account for you.  Create an Member AWS Account (DEMO) within your AWS Organization  Do a Role Switch (OrganizationAccountAccessRole) to the Account you have created within your AWS organization
  • 15. ROLE SWITCHING  Role Switching is a method of accessing one account from another using only one set of credentials  Role Switching is possible between ● AWS Accounts (Cross Account Switching) ● AWS Organizations  P.Note: You need to sign in as a IAM user (Not a ROOT account) if you are to switch roles.
  • 17. DEMO - 2  Create an IAM Role (MemberReadOnlyAccess) trusting the Master Account in the Member Account (DEMO) with (ReadOnlyAccess + Restrict the Access to user demo1)  Create a S3 bucket in the Member Account  Switch back to the Master Account and create an IAM user named demo1  Create a ReadOnly IAM Group and add demo1 user to it.  Now add following policies to the created IAM Group 1. ReadOnlyAccess (AWS Managed Policy) 2. sts:AssumeRole (In-Line Policy)  Now sign in using demo1 user  Try to switch to the Member Account using the MemberReadOnlyAccess Role. You should be able to switch. Go to S3 and see created S3 bucket is visible.
  • 18. RESOURCE ACCESS MANAGER (RAM)  Owner Account retains the full ownership  Owner Account creates a share  If participant is inside the AWS organization, sharing enabled automatically  Use the concept of “Shared Services VPC”  Shared Services VPC is the one which provides infrastructure, which can be consumed by other VPCs  Member Accounts can see the Shared VPC components, but unable to do any network level modifications
  • 19. REFERENCES  How to use Service Control Policies: https://aws.amazon.com/blogs/security/how-to-use-service-control-policies-in-aws-organ izations/  AWS Resource Access Manager (RAM): https://aws.amazon.com/ram/