Search code examples
amazon-web-servicesuser-accounts

AWS Organization accounts manangement

Let's assume in current AWS organization we have 2 developers accounts. From what I found it is a good practice to create a separate AWS account per environment and give access to these resources.

My question is:

What is the best way to share access to the resources (e.g. EC2, EKS, EFS) for multiple developers? Now I see only these two options:

  • Create a separate AWS account for each developer and allow to access some resources by applying roles to that developers AWS accounts.
  • Within a root account of each AWS environment create a IAM user account for each developer and from that point manage permissions by policies and user groups.

Please let me know. I appreciate any type of help! :)

Solution

  • You should setup AWS SSO. Either integrated with your existing identity provider, or using the built in user system.

    https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html

    This will allow you to create permission sets. Then, you can assign permission sets to users in particular accounts. This will create a role in the account which the users can assume