Overview
Scenario:
- A company size of
200people seperated into10teams. - Administer can have the company-wide policy to limit AWS account.
- Easy way to switch user to the other team.
- Single login page for user to login
- Each team wants its own access to its resources.
- Also, different environment for specific purpose.
- Sometimes, they need temporarily cooperation between teams.
- For auditing, bills should be seperated by each team.
Solution:
- AWS Organization to have hiearchy architecture.
- Move AWS Accounts into different Organizational Unit.
- Attach Service Control Policies to OU to limit AWS accounts.
- Using seperated account for different enviroment, producion, staging...... .
Organization
Company OU will whitelist AWS resource and region. Playground account has no limitation on AWS resource. Periodically clean resource of playground account.
AWS Tag is another solution to have more detail bill within AWS account.
Terraform
Create terraform IAM access key and attach AdministratorAccess policy as Terraform repo's credential.
SSO
Recommended using SSO to manage AWS Accounts, otherwise you will have to manage your account from different place.
Google apps SSO
You have to have GSuite super administrator access.
Follow the How to Set Up Federated Single Sign-On to AWS Using Google Apps instruction
Then, you will find out it's one-to-one mapping between Google account and IAM role.
We want mapping of Google group and IAM role.
Refer repo https://github.com/1Strategy/sso-to-aws-using-gsuite
By using GSuite Admin API
Iterate the Google group, for each Google account, map to corresponding IAM role
AWS SSO
https://aws.amazon.com/tw/single-sign-on/
Assign user to group to have access to account.