Identity and Access Management (IAM) Layer ¶
Having this official AWS resource as reference we've define a security account structure for managing multiple accounts.
User Management Definitions
- IAM users will strictly be created and centralized in the Security account (member accounts IAM Users could be exceptionally created for very specific tools that still don’t support IAM roles for cross-account auth).
- All access to resources within the Client organization will be assigned via policy documents attached to IAM roles or groups.
- All IAM roles and groups will have the least privileges required to properly work.
- IAM AWS and Customer managed policies will be defined, inline policies will be avoided whenever possible.
- All user management will be maintained as code and will reside in the DevOps repository.
- All users will have MFA enabled whenever possible (VPN and AWS Web Console).
- Root user credentials will be rotated and secured. MFA for root will be enabled.
- IAM Access Keys for root will be disabled.
- IAM root access will be monitored via CloudWatch Alerts.
Why multi account IAM strategy?
Creating a security relationship between accounts makes it even easier for companies to assess the security of AWS-based deployments, centralize security monitoring and management, manage identity and access, and provide audit and compliance monitoring services
IAM Groups & Roles definition ¶
AWS Org member accounts IAM groups :
|Account Name||AWS Org Member Accounts IAM Groups|
AWS Org member accounts IAM roles :
|Account Name||AWS Org Member Accounts IAM Roles|