Search code examples
amazon-web-servicesamazon-iamaws-organizationsaws-roles

What is the most efficient way to give read-only access on all accounts in an AWS organization?

I'm new to AWS. Have some experience in Azure, but the organization/user account/permissions part is completely different to the tenant/managementgroup/subscription/azure AD way of thinking.

In a multi-account (e.g. accounts A,B & C) organization, what's the most efficient way to give users of account A read-only insight into accounts B and C? Creating a role for every account and adding the assume role policy for every user? Is there a way to give these users these rights on the top level to make sure that they also have read-only access if an account D and E are added in the future?

Solution

  • You'll want to look into IAM Roles and cross-account access. I know of 2 main way of doing so:

    Solution 1

    You can use AWS IAM Identity Center to setup read-only access for account A, B and C. For example, you could create users or group with with ReadOnlyAccess and configure these users to access all your accounts.

    You'd still have to configure your AWS accounts to integrate them within IAM Identity Center and allow your users access to these accounts, but most of the heavy-load of handling IAM Role cross-account access will be done by IAM Identity Center.

    Solution 2

    Another way would be to configure cross-account access using IAM Roles. in short you'd have to:

    • Create IAM users on account A
    • Create IAM Roles on account B, C, etc. with ReadOnlyAccess policy of equivalent.
    • Configure a trust policy on these IAM Roles to allow Account A users to impersonate them
      • Understanding this step is very important. I advise you reading this AWS blog article to grasp the idea.
    • Configure IAM Policies for IAM Users on account A to allow them to impersonate Roles on account B, C, etc.

    Notes:

    • Solution 1 is in fact using Solution 2 under the hood: Identity Center will create IAM Roles with proper config for you. With Solution 1 you won't have to handle the boiler-plate config of trust policy which may be easier, but Solution 2 will bring your more granular control other your policies (with added complexity)
    • I voluntarily didn't get into detail as to how each IAM resources must be configured as it really depends on your needs and your question remain quite broad. I advise you read the doc I linked to get a better idea and try out for yourself.
    • When you feel comfortable moving to a production grade or larger scale config, I strongly advise you to use Infrastructure as Code such as CloudFormation, Pulumi or Terraform.