One post tagged with "aws" | bananaappletw's blog

AWS resource hierarchy

July 3, 2021 · 3 min read

Overview

Scenario:

A company size of 200 people seperated into 10 teams.
Administer can have the company-wide policy to limit AWS account.
Easy way to switch user to the other team.
Single login page for user to login
Each team wants its own access to its resources.
Also, different environment for specific purpose.
Sometimes, they need temporarily cooperation between teams.
For auditing, bills should be seperated by each team.

Solution:

AWS Organization to have hiearchy architecture.
Move AWS Accounts into different Organizational Unit.
Attach Service Control Policies to OU to limit AWS accounts.
Using seperated account for different enviroment, producion, staging...... .

Organization

graph LR R[Organization root] --> C[Company OU] C[Company OU] --> A1[Team A production AWS account] C[Company OU] --> A2[Team A staging AWS account] C[Company OU] --> B1[Team B production AWS account] C[Company OU] --> B2[Team B staging AWS account] R[Organization root] --> P[playground AWS account]

Company OU will whitelist AWS resource and region. Playground account has no limitation on AWS resource. Periodically clean resource of playground account.

info

AWS Tag is another solution to have more detail bill within AWS account.

Terraform

Create terraform IAM access key and attach AdministratorAccess policy as Terraform repo's credential.

graph LR; A[A AWS account] --> AT[A Terraform repo]; AT[A Terraform repo] --> A[A AWS account]; B[B AWS account] --> BT[B Terraform repo]; BT[B Terraform repo] --> B[B AWS account];

SSO

caution

Recommended using SSO to manage AWS Accounts, otherwise you will have to manage your account from different place.

Google apps SSO

danger

You have to have GSuite super administrator access.

Follow the How to Set Up Federated Single Sign-On to AWS Using Google Apps instruction

Then, you will find out it's one-to-one mapping between Google account and IAM role.

We want mapping of Google group and IAM role.

Refer repo https://github.com/1Strategy/sso-to-aws-using-gsuite

By using GSuite Admin API

Iterate the Google group, for each Google account, map to corresponding IAM role

AWS SSO

https://aws.amazon.com/tw/single-sign-on/

graph LR; A[A AWS account admin group] --> AA[Administer role of A account]; A[A AWS account readonly group] --> AR[readonly role of account]; B[B AWS account admin group] --> BA[Administer role of A account]; B[B AWS account readonly group] --> BR[readonly role of account];

Assign user to group to have access to account.

Neat short-term credentials for command line interface

Overview​

Organization​

Terraform​

SSO​

Google apps SSO​

AWS SSO​

Overview

Organization

Terraform

SSO

Google apps SSO

AWS SSO