Implementing Identity Account Architecture within AWS

Introduction

In the dynamic landscape of cloud computing, organizations often leverage multiple AWS accounts to efficiently manage distinct operational environments such as development, testing, and production. Managing user access across these accounts, each with unique roles and permissions, can be a challenging task. This blog post explores the Identity Account Architecture, a strategy employed to simplify user access management across multiple AWS accounts.

Understanding Identity Account Architecture

Two primary strategies are commonly used to streamline user access management across multiple AWS accounts: Single Sign-On (SSO) and Identity Account Architecture. This post focuses on the latter, where users log into a central or identity account and use the AWS Switch Role feature to access resources across various accounts, each assigned specific roles and permissions.

Implementation of Switch Role Feature

To enable the Identity Account Architecture, the AWS Switch Role feature is a crucial component. This feature allows users to switch roles from a source account to a destination account. The process involves setting up roles in the destination account with trust policies that permit the source account to assume these roles.

Key Steps in Implementing Switch Role

1. Source Account Setup (Administrators):

   • Administrators in the source account do not require policy creation or attachment, as they already have the sts:AssumeRole permission.
   • Skip the setting up section for the source account if you are an administrator.

2. AWS Organizations Integration:

   • An all-access role with a trust policy is automatically established in member accounts by AWS in AWS Organizations.
   • Administrators switching roles between management and member accounts do not need to set up roles manually.

3. Prerequisites:

   • Knowledge of AWS Organizations and IAM Identity Center.
   • Two AWS accounts - one as the source and the other as the destination.
   • Administrative user in both source and destination accounts.
   • A user without any previous permissions in the destination account for validation.

4. IAM Identity Center:

   • Recommended by AWS for user management, eliminating the need to create IAM users in both source and destination accounts.

5. Technical Requirements:

   • S3 bucket with default options.
   • AWS CLI profiles set up for administrative and non-administrative users in both source and destination accounts.

Conclusion

Implementing Identity Account Architecture with the AWS Switch Role feature provides a streamlined approach to managing user access across multiple AWS accounts. While IAM Identity Center is recommended for user management, the switch role feature can still be utilized in conjunction with it.