Set up IAM Identity Center + Granted
Using multiple AWS accounts is a best practice that can help you isolate and manage business applications and data.
If you have looked at the
AWS Well-Architected Framework you might have seen that having multiple accounts for an organisation can help achieve
operational excellence,
security,
reliability, and even
cost optimisation.
At fourTheorem, we have helped dozens of organisations to set up their AWS accounts properly, regardless of their level of cloud maturity. We truly believe this is such a fundamental best practice that it should be considered even by organisations that are very new to the cloud and have just opened their first AWS account.
Starting with a good multi-account foundation is something that will enforce many best practices from day 0, like, for example, not having long-lived credentials on developers’ machines. And the benefits just get greater as the company grows and the level of cloud adoption increases. It’s a practice that scales well from 1 developer to thousands of developers!
In the first article (this one) we will learn how to use IAM Identity Center and AWS Organizations to create your account structure and define users, groups, and permissions. We will also see how to install and configure
granted, a CLI tool that allows you to easily assume a role to interact programmatically with a given account and avoid long-lived IAM credentials.
The advantages of having multiple AWS accounts
Isolation of resources
Each AWS account operates in isolation, providing a clear boundary for resources…
Environment segregation
Distinct AWS accounts can be used to segregate environments for specific workloads…
Short-lived developers credentials
When you set up IAM Identity Center and AWS Organisations, you can easily allow developers to get temporary programmatic credentials for a specific account…
Note: aws-vault allows you to securely store persistent credentials.
Cost Management
By separating resources into different accounts, it becomes easier to track and manage costs…
Prerequisites
Before getting our hands dirty with IAM Identity Center and AWS Organizations…
Step 1. Enable IAM Identity Center
Log into the management account and go to IAM Identity Center (formerly AWS SSO).
Enable IAM Identity Center → “Enable with AWS Organizations”.
Step 2 (optional). Customise your AWS access portal URL
One of the things that we can do here is to customise the AWS access portal URL.
It looks like this:
https://<some_custom_name>.awsapps.com/start
By default, AWS pre-assigns a random name…
Step 3. Create and Organise your accounts
Now it’s the time to start creating new accounts and organise them…
Switch to AWS Organizations to create accounts:
Example account email aliases:
loigetemp+aws-sandbox@gmail.com
loigetemp+aws-production@gmail.com
loigetemp+aws-development@gmail.com
Step 4. Specify your identity source
AWS allows you to integrate Google Workspaces, AD, Okta, etc…
Step 5. Create Groups & Users
Create a group called “Admin”. Then create a user and assign it to the group.
Step 6. Create Permission Sets
Create permission sets such as
AdministratorAccess and
ReadOnlyAccess.
CLI access with granted
Install
granted and log in:
granted sso login --sso-region eu-west-1 --sso-start-url https://loigetemp.awsapps.com/start
granted sso populate --sso-region eu-west-1 https://loigetemp.awsapps.com/start
granted sso populate --prefix loigetemp_ --sso-region eu-west-1 https://loigetemp.awsapps.com/start
assume Experiments/AdministratorAccess
aws sts get-caller-identity
Other tools that give CLI access
Alternative tools:
aws-sso-util- Leapp
- Cloud Glance
It’s a wrap!
This brings us to the end of this article…
Part 2 – Managing Accounts Using IaC with Orgformation
