· Diego Martin · tutorials · 3 min read
Environments in AWS with Organizations
Streamlining AWS Environments with Organizations and a Managing Account
Managing complex cloud environments efficiently is crucial for businesses leveraging AWS. By utilizing AWS Organizations alongside a centralized managing account, companies can achieve both operational efficiency and enhanced security. This article explores the steps and concepts involved in setting up and accessing multiple AWS environments under a unified management system.
Understanding AWS Organization and Its Structure
AWS Organization allows businesses to manage billing, control access, and comply with policies across multiple AWS accounts. By setting up an AWS Organization, you centralize billing to one account - the managing account - and distribute resources across various environment-specific accounts, such as test and prod. Each of these environments operates within its own AWS account, under the umbrella of the managing account, ensuring that resources are isolated yet easily governable.
Key Components of AWS Organization Structure
- Managing account: Centralizes billing and manages domain DNS settings, serving as the core account where key administrative actions are performed.
- Environment account: Separate accounts for different environments (e.g: test, prod, etc.) under the managing organization, each tailored with specific resources and access controls.
AWS automatically provisions an OrganizationAccountAccessRole IAM role within new accounts, facilitating secure access without relying on root user credentials.
Managing AWS Organization Users
My recommended practice is to create IAM users only in the managing account. From there, users can assume roles in other accounts, promoting a secure and streamlined access model. This also allows to enforce security, policies like enforcing 2FA or similar.
The IAM Users can be added to different groups, and, for those groups, some policies allowing access to certain environment accounts (e.g: test, prod, etc.) can be configured.
This is a sample policy that could be added to a user or group of users.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": [
"arn:aws:iam::0000000001:role/OrganizationAccountAccessRole"
]
}
]
}
This would allow administrator access to a AWS account (e.g: 0000000001) to anyone who possesses that policy, as it’s able to assume the OrganizationAccountAccessRole role. To allow access to any environment account, you could also use a wild card like in "arn:aws:iam::*:role/OrganizationAccountAccessRole".
Access Environment Accounts by Switching Roles
Switching roles within AWS to access specific environment accounts under an AWS Organization is a straightforward process that enables users to manage resources across multiple accounts securely. Here’s how you can do it:
- Log into the managing account
- Navigate to switch role
- Fill out the switch role form, specifying the AWS account ID for the desired environment, the role
OrganizationAccountAccessRoleand a display name to make explicit at all times which account are you at. - Confirm and access the environment
After filling out the form, click on the “Switch Role” button to proceed. If successful, you’ll be redirected to the AWS Management Console as the assumed role in the target environment account. The navigation bar will indicate that you’re accessing resources under this new role, displaying the Display Name and color you specified.
In conclusion, employing AWS Organizations with a managing account framework offers a robust approach to managing cloud resources across multiple environments. This model not only centralizes billing and administration but also enhances security through controlled access and enforced MFA, supporting businesses in maintaining an organized and secure cloud infrastructure.
By understanding and implementing these practices, organizations can ensure their cloud environments are both efficient and secure, ready to scale with their needs.
