Skip to main content

One post tagged with "aws"

View All Tags

AWS resource hierarchy

ยท 3 min read

Overview#

Scenario:

  • A company size of 200 people seperated into 10 teams.
  • Administer can have the company-wide policy to limit AWS account.
  • Easy way to switch user to the other team.
  • Single login page for user to login
  • Each team wants its own access to its resources.
  • Also, different environment for specific purpose.
  • Sometimes, they need temporarily cooperation between teams.
  • For auditing, bills should be seperated by each team.

Solution:

Organization#

graph LR R[Organization root] --> C[Company OU] C[Company OU] --> A1[Team A production AWS account] C[Company OU] --> A2[Team A staging AWS account] C[Company OU] --> B1[Team B production AWS account] C[Company OU] --> B2[Team B staging AWS account] R[Organization root] --> P[playground AWS account]

Company OU will whitelist AWS resource and region. Playground account has no limitation on AWS resource. Periodically clean resource of playground account.

info

AWS Tag is another solution to have more detail bill within AWS account.

Terraform#

Create terraform IAM access key and attach AdministratorAccess policy as Terraform repo's credential.

graph LR; A[A AWS account] --> AT[A Terraform repo]; AT[A Terraform repo] --> A[A AWS account]; B[B AWS account] --> BT[B Terraform repo]; BT[B Terraform repo] --> B[B AWS account];

SSO#

caution

Recommended using SSO to manage AWS Accounts, otherwise you will have to manage your account from different place.

Google apps SSO#

warning

You have to have GSuite super administrator access.

Follow the How to Set Up Federated Single Sign-On to AWS Using Google Apps instruction

Then, you will find out it's one-to-one mapping between Google account and IAM role.

We want mapping of Google group and IAM role.

Refer repo https://github.com/1Strategy/sso-to-aws-using-gsuite

By using GSuite Admin API

Iterate the Google group, for each Google account, map to corresponding IAM role

AWS SSO#

https://aws.amazon.com/tw/single-sign-on/

graph LR; A[A AWS account admin group] --> AA[Administer role of A account]; A[A AWS account readonly group] --> AR[readonly role of account]; B[B AWS account admin group] --> BA[Administer role of A account]; B[B AWS account readonly group] --> BR[readonly role of account];

Assign user to group to have access to account.

Neat short-term credentials for command line interface