When I started with AWS, at the beginning I couldn’t understand what it was like with these users and accounts. Such a simple thing as managing accounts and users in AWS was really complicated.
At AWS, we can create and manage various accounts in several ways. Of course, we shouldn’t be managing the portal with the root account. Another bad idea is linking your private accounts to an organization.
AWS Organizations Accounts
As we are already at the organization, by adding an account at this level, we can achieve full isolation between environments / projects. By creating accounts at this level, these will not be user accounts, but accounts in which we can have a fully isolated environment / project. We can treat one account as a production environment, another as a test or development environment, etc. If we have projects in the company that should be isolated from each other, this is a good place to create a separate account for each of such projects.
When we have a lot of accounts in the organization, we can create an organization structure. In the example below we have 3 ‘organization units‘ test, dev and prod to which we can add the accounts we created. This will allow for easier management of our environments. Each organizational unit can have rules assigned by us that will be inherited. This means that if we have, for example, specific rules for the test environments, we do not have to assign them one by one to each environment. You only need to do it once in an organizational unit and all accounts will receive them automatically.
Okay, you ask, but what about these user accounts and their management on AWS? Well, user accounts are added in other place. Or rather, in other places 🙂
Identity and Access Management (IAM)
Identity and Access Management (IAM) is one of the places where you can add user accounts. In the documentation, I found information to set up accounts for users through the IAM and manage them there. Let’s say it’s a sure path, but it’s not very good and simple. It works fine if we only have one environment and keep everything in one place.
If we have more environments (accounts added at the organization level), then the outputs are 2. In each environment, we create users from the beginning through the IAM, or in one environment we create users and in others we create roles for them.
AWS even has a special “Switch Roles” feature that allows you to quickly switch between environments / projects.
To be more specific, we create IAM users in one environment, and only create roles in others. The role contains the rights that the user has in the specific environment. If users have different permissions, we have to create different roles. When we have created roles, after clicking on the switch role we enter the id of the account to which we want to switch and the name of the role that we have created on the selected account. For clarity, we can choose different colors for different environments.
Isn’t it that simple? Well, it is not too simple, and also a bit annoying. Therefore, there is another second and better way to manage users.
AWS Single Sign-On (SSO)
AWS Single Sign-On (SSO) is the second, better way. Here you can easily add users and groups and have the ability to manage them at the level of the entire organization. We can assign users or groups permissions in specific environments (organization accounts). Users are not in a specific account, but at the organization level. When adding a new user, we also have more options to choose from.
When we create our users, they no longer log in through the panel that was used to log in so far. Now users log in through the user portal, the address of which can be easily personalized.
The login portal itself looks a little different:
Of course, instead of creating users, we can use those that exist, for example in our local Active Directory, but not only. The combination of the cloud and the local environment brings many benefits and, unfortunately, many threats, but that is a topic for a separate article. I am glad that you read to the end 🙂
More information on AWS Single Sign-On can be found in the AWS documentation at https://docs.aws.amazon.com/singlesignon/index.html
If you liked the article “Managing users, accounts on AWS – the better way“, it would be nice if you leave a comment.
You can find more articles on AWS in the AWS category.