Skip to content

Identity and Access Management (IAM) Layer

Summary

Having this official AWS resource as reference we've define a security account structure for managing multiple accounts.

User Management Definitions aws-service aws-service

  • IAM users will strictly be created and centralized in the Security account (member accounts IAM Users could be exceptionally created for very specific tools that still don’t support IAM roles for cross-account auth).
  • All access to resources within the Client organization will be assigned via policy documents attached to IAM roles or groups.
  • All IAM roles and groups will have the least privileges required to properly work.
  • IAM AWS and Customer managed policies will be defined, inline policies will be avoided whenever possible.
  • All user management will be maintained as code and will reside in the DevOps repository.
  • All users will have MFA enabled whenever possible (VPN and AWS Web Console).
  • Root user credentials will be rotated and secured. MFA for root will be enabled.
  • IAM Access Keys for root will be disabled.
  • IAM root access will be monitored via CloudWatch Alerts.

Why multi account IAM strategy?

Creating a security relationship between accounts makes it even easier for companies to assess the security of AWS-based deployments, centralize security monitoring and management, manage identity and access, and provide audit and compliance monitoring services

leverage-aws-iam

Figure: AWS Organization Security account structure for managing multiple accounts (just as reference). (Source: Yoriyasu Yano, "How to Build an End to End Production-Grade Architecture on AWS Part 2", Gruntwork.io Blog, accessed November 18th 2020).

IAM Groups & Roles definition

AWS Org member accounts IAM groups :

Account Name AWS Org Member Accounts IAM Groups
Admin Auditor DevOps DeployMaster
project-management x
project-security x x x x

AWS Org member accounts IAM roles :

Account Name AWS Org Member Accounts IAM Roles
Admin Auditor DevOps DeployMaster OrganizationAccountAccessRole
project-management x
project-security x x x x
project-shared x x x x x
project-legacy x x x
project-apps-devstg x x x x x
project-apps-prd x x x x x