- A company size of
200people seperated into
- Administer can have the company-wide policy to limit AWS account.
- Easy way to switch user to the other team.
- Single login page for user to login
- Each team wants its own access to its resources.
- Also, different environment for specific purpose.
- Sometimes, they need temporarily cooperation between teams.
- For auditing, bills should be seperated by each team.
- AWS Organization to have hiearchy architecture.
- Move AWS Accounts into different Organizational Unit.
- Attach Service Control Policies to OU to limit AWS accounts.
- Using seperated account for different enviroment, producion, staging...... .
Company OU will whitelist AWS resource and region. Playground account has no limitation on AWS resource. Periodically clean resource of playground account.
AWS Tag is another solution to have more detail bill within AWS account.
terraform IAM access key and attach AdministratorAccess policy as Terraform repo's credential.
Recommended using SSO to manage AWS Accounts, otherwise you will have to manage your account from different place.
Google apps SSO
You have to have GSuite super administrator access.
Follow the How to Set Up Federated Single Sign-On to AWS Using Google Apps instruction
Then, you will find out it's one-to-one mapping between Google account and IAM role.
We want mapping of Google group and IAM role.
By using GSuite Admin API
Iterate the Google group, for each Google account, map to corresponding IAM role
Assign user to group to have access to account.