Benefits of AWS IAM based authentication for workloads extended over multiple AWS accounts

Problem

A common problem for large enterprise that have a bulk of AWS IAM users is to manage workloads in multiple AWS accounts and setup secure authentication principles. Let’s say you have one hundred employees having IAM user accounts that are working in one AWS account, let’s called it Account A. Now, you want the same employees to work in some other AWS account, Account B, as well. A simpler approach would be to create IAM user accounts for each employee in the Account B as well. This approach is clearly time consuming as it results in repetition of work and difficult user management. If you have more than hundred users the situation will get worst.

Solution

AWS solves this situation by providing you the ability to keep all of your users in one account (Account A in our example) and provide IAM role-based access to same users to access resources and services in other account (Account B). For implementing this solution you have to configure a trusted relationship between the two accounts. Users in first account access the services of second account assuming an IAM role that has been created in the second account.

Example

Let’s say we want to give an IAM user in first account (Account A) full access to S3 service in a second account (Account B)

Make following settings in Account B, the trusting account:

From IAM console create a new role with following characteristics:

a.       Trusted Entity: Another AWS Account. Enter Account ID of Account B.

b.      Permissions: S3FullAccess (AWS managed Policy)

c.       Appropriate Role name

Now, in Account A, the trusted account make the following settings:

1.       Create a new IAM Group and for settings its permission, create new inline policy and paste following code in “Custom Policy” option:

“Version”: “2012:10:17”,
“Statement”: 
{
“Effect”: “Allow”,
“Action”: “sts:AssumeRole”,
“Resource”: “arn:aws:iam::ACCOUNT ID:role/ROLE_NAME”
}
}

Note: Replace Account ID with the Account ID of Account B. Replace ROLE_NAME with the name of the role you created in Account B

2.       Add to this group as many users as you want.

Conclusion

Login using any one of the user added in this group and you should be able to see the “switch user” option under the drop down in upper right portion of the console. On selecting switch role user will be taken to the Account B where he has full access to S3


Muhammad Ali
Bluestack IT Solutions


 
 
Muhammad Ali