Overview
Scenario:
- A company size of
200people seperated into10teams. - Administer can have the company-wide policy to limit AWS account.
- Easy way to switch user to the other team.
- Single login page for user to login
- Each team wants its own access to its resources.
- Also, different environment for specific purpose.
- Sometimes, they need temporarily cooperation between teams.
- For auditing, bills should be seperated by each team.
Solution:
- AWS Organization to have hiearchy architecture.
- Move AWS Accounts into different Organizational Unit.
- Attach Service Control Policies to OU to limit AWS accounts.
- Using seperated account for different enviroment, producion, staging… .
Organization
graph LR R[Organization root] —> C[Company OU] C[Company OU] —> A1[Team A production AWS account] C[Company OU] —> A2[Team A staging AWS account] C[Company OU] —> B1[Team B production AWS account] C[Company OU] —> B2[Team B staging AWS account] R[Organization root] —> P[playground AWS account]
Company OU will whitelist AWS resource and region. Playground account has no limitation on AWS resource. Periodically clean resource of playground account.
:::info
AWS Tag is another solution to have more detail bill within AWS account.
:::
Terraform
Create terraform IAM access key and attach AdministratorAccess policy as Terraform repo’s credential.
graph LR; A[A AWS account] —> AT[A Terraform repo]; AT[A Terraform repo] —> A[A AWS account]; B[B AWS account] —> BT[B Terraform repo]; BT[B Terraform repo] —> B[B AWS account];
SSO
:::caution
Recommended using SSO to manage AWS Accounts, otherwise you will have to manage your account from different place.
:::
Google apps SSO
:::warning
You have to have GSuite super administrator access.
:::
Follow the How to Set Up Federated Single Sign-On to AWS Using Google Apps instruction
Then, you will find out it’s one-to-one mapping between Google account and IAM role.
We want mapping of Google group and IAM role.
Refer repo https://github.com/1Strategy/sso-to-aws-using-gsuite
By using GSuite Admin API
Iterate the Google group, for each Google account, map to corresponding IAM role
AWS SSO
https://aws.amazon.com/tw/single-sign-on/
graph LR; A[A AWS account admin group] —> AA[Administer role of A account]; A[A AWS account readonly group] —> AR[readonly role of account]; B[B AWS account admin group] —> BA[Administer role of A account]; B[B AWS account readonly group] —> BR[readonly role of account];
Assign user to group to have access to account.