Set up and orchestrate your AWS resources in a multi-account environment built with separate AWS accounts - one for each application stage (Development, Test, Staging and Production) or as per your requirements, in order to enforce a strong and secure separation between different types of AWS resources available in the environment. The access (cross-account access) to the entire multi-account environment is built around IAM roles, it follows AWS security best practices and is managed by a dedicated (central) AWS account, known as the Identity Account.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
The AWS multi-account setup recommended in this guide comes with multiple benefits such as clean separation between different types of AWS resources, centralized management and auditing for user accounts and their access permission, easier and securer authentication process that lets you switch accounts without being required to sign out and sign in for each account and fewer access credentials to create and manage.
Create AWS accounts for all your application stages (e.g. Development, Test, Staging and Production) and enable cross-account access using IAM roles. With roles you can prevent accidental changes to your AWS environment, especially when combined with auditing tools that can help ensure that your roles are only used when needed. Cloud Conformity recommends creating multiple AWS accounts to provide the highest level of resource and security isolation for your application(s).
Set up the AWS multi-account environment.
Create a dedicated AWS account to grant efficiently access to your AWS resources spread over multiple accounts. This central account, known as the Identity Account, will be responsible for creating, managing and tracking the IAM groups and users that will be used to provide access to the other accounts within your AWS environment.
Harden IAM user access credentials.
Enforce Multi-Factor Authentication (MFA) and a strong password policy for all the IAM users that access your environment resources through the Identity Account.Note: As example, this guide will use Google Authenticator as MFA device since is one of the most popular MFA virtual applications used by AWS customers. To explore other MFA devices (virtual and hardware) and their features visit http://aws.amazon.com/iam/details/mfa/.
AWS environment audit
Enable API logging for the entire AWS environment by activating AWS CloudTrail and AWS Config AWS at the global level and aggregate all the audit data recorded by these services into an S3 bucket within the Identity Account.
Switch roles and enable cross-account access.
Switching roles enables you to manage resources across AWS accounts using a single IAM user. To switch roles in order to access the AWS accounts created in Section I, sign in to your Identity Account using the appropriate IAM user and quickly access the accounts within your AWS environment using the Identity Menu:
- AWS Documentation
- AWS Multiple Account Security Strategy
- AWS Identity and Access Management FAQs
- IAM Best Practices
- Tutorial: Delegate Access Across AWS Accounts Using IAM Roles
- Creating a Role to Delegate Permissions to an IAM User
- Examples of Policies for Delegating Access
- Switching to a Role (AWS Management Console)
- AWS Policy Generator
- Permissions for the Amazon S3 Bucket
- Setting Bucket Policy for Multiple Accounts
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
You are auditing:
AWS Multi-Account Centralized Management
Risk level: High