AWS Cross Account Access
[Part 01 — Part Accessing accounts within an AWS Organization]
AWS Cross Account Access is all about its ability to access resources of one AWS account from another AWS account.
This is possible using a feature called Role Switching. The Role Switching can happen between AWS Accounts within an AWS organization or between AWS organizations.
However, in this blog, we limit our discussion only between AWS accounts within a single AWS organization.
Lets discuss these steps in bit more detail now.
Before we dive into more details of AWS cross account access, lets discuss a little bit about AWS organizations and its hierarchy (See Figure 01).
AWS organizations helps you centrally govern your environment as you grow as your workloads on AWS. As explained, it helps you to manage multiple AWS accounts within a single business. Rather than managing many accounts with many isolated set of logins and individual bills, this allows you to have a more consolidated setup with a better performance.
In a typical AWS organization, you will find a account hierarchy, some logical units and a service policy to govern each of its account.
Master Account: When you create an AWS Organization under the ROOT account, you basically create the Master Account. Master Account cannot be restricted. The consolidated billing, centralized logging are happening here.
Member Account: These are basically AWS accounts which are created under the ROOT account, which is not a Master Account.
Organizational Unit: These are groups which you can create and assign AWS accounts to any of them. These are useful, when you want to assign certain Service Control Policies (SCPs) to all the attached account under the OU.
Service Control Policies (SCPs): These are a type of an organizational policy that you can use to manage permissions in your organization. SCP by default, offer central control over the maximum available permissions for all accounts in your organization. Once a Member Account is created, a default IAM Role is created named as OrganizationAccountAccessRole. By default, this role has the full Admin Access privileges (FullAdminAccess).
In this blog, switching account will be explained in two scenarios.
- Scenario 01 — Switching to a Member Account from the Master Account within the same AWS organization with Full Admin Access using OrganizationAccountAccessRole
- Scenario 02 — Switching to a Member Account from the Master Account IAM user within the same AWS organization with a customized IAM Role.
Scenario 01 — Switching with Full Admin Access IAM Role
As explained, by default you can switch to a member account from the master account with Full Admin Access. Here, you need to use a static Role Name called OrganizationAccountAccessRole (See Figure 02).
Step 1 — Create an AWS organization (if your AWS account does not have it already). This step will create the Master Account for your AWS account.
Step 2 — Create a Member AWS account within your AWS organization.
Step 3 — Sign in to AWS Console as an admin user (you cannot do Role switching with a ROOT account) and do a role switch to the member account you created in step 2.
If all okay, you will be switched to the Member Account shown in Figure 04. The member account id you can find on the AWS organization dashboard. If you browse through the member account you can see you have been granted admin access privileges. If you want to give less privileges, you may adjust Service Control Policy for that member account and see.
Scenario 02 — Switching with less privileges
Step 1 — Sign in as the Admin user and create a IAM user (e.g. demo1).
Step 2 — Create an IAM Group with following policies attached to it.
- AWS Managed Policy — Add ReadOnlyAccess
- In-line Policy — (Service: STS, Actions: AssumeRole, Resources: *)
Click “In-line Policy” and use the Policy Editor to add STS Assume Role.
Once both polices added you may see the following screen (See Figure 07).
Click Show Policy under Inline Policy and you would see this in JSON format (See Figure 08).
Step 3 — Attach the above created group to the user demo1, which was created in step 1.
Step 5 — Do a Admin Role switch to DEMO Member Account now in order to create an IAM Role.
Step 6 — Go to IAM -> Roles -> Create Role ->Select Another AWS Account tab -> Enter the Account ID of the Master Account (From AWS Account that you are doing the Role Switching) (See Figure 09).
Step 7 — Add permissions by clicking the Next Permissions button and add ReadOnlyAccess permission (See Figure 10).
Step 8 — Enter a valid Role name (MemberReadOnlyAccess) and create the IAM Role (See Figure 11).
Step 9 — From the IAM Roles dashboard, select the newly created IAM Role under step 8.
Step 10 — Click Trust Relationship tab -> Click Edit Trust Relationship tab. You will see a JSON policy like below (See Figure 12).
Step 11 — In order to restrict this Trust Relationship only to demo1 IAM User, you need to change the AWS principle of the above JSON Trust policy. After changing the IAM user ARN, it would be visualized like below (See Figure 13).
Step 12 — If you had managed to complete all above steps without any issues, then you are set to experiment a bit further now.
Step 13 — Use Switch Role feature and now try and switch back to the IAM member account (DEMO). Use the Member Account ID and the Role (MemberReadOnlyAcces) as the one that you created under step 8 (See Figure 14).
Step 14 — If all okay, you should see the new Member Account AWS console with a ReadOnlyAccess.
Role switching among AWS account is a very strong feature provided by AWS in order to govern multiple AWS account within an organization. It is matter of creating an IAM Role with a Trust relationship with an IAM user (with a policy with an STS Assume Role) in another AWS account.
- How to use Service Control Policies: https://aws.amazon.com/blogs/security/how-to-use-service-control-policies-in-aws-organizations/