Skip to content
This repository has been archived by the owner on Oct 31, 2019. It is now read-only.
/ devsecops-subaccount-admin Public archive

Provides roles and policies for sub-account administration

License

View license
1 star 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

GSA/devsecops-subaccount-admin

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits

images

images

 
 

.gitignore

.gitignore

 
 

LICENSE.md

LICENSE.md

 
 

README.md

README.md

 
 

aws_config.rb

aws_config.rb

 
 

subaccount_iam.tf.example

subaccount_iam.tf.example

 
 

Repository files navigation

Admin Roles and Profiles for Organization Sub-Accounts

Creating Sub-Accounts

When you create an organization sub-account from the Console or with the AWS Account Broker it automatically creates an IAM role called OrganizationAccountAccessRole. The Terraform code to create this is:

resource "aws_iam_role" "OrganizationAccountAccessRole" {
  name = "OrganizationAccountAccessRole"

  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "AWS": "arn:aws:iam::${var.mgmt_account}:root"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}
EOF
}

This role has an inline AdministratorAccess policy:

resource "aws_iam_policy" "AdministratorAccess" {
  name        = "AdministratorAccess"

  policy = <<EOF
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*"
        }
    ]
}
EOF
}

Admin Role in Management Account

In the management account, you need an IAM policy to allow administrators to assume the OrganizationAccountAccessRole in the tenant accounts. The policy is defined by the following Terraform code:

resource "aws_iam_policy" "org-account-access" {
  name        = "org-account-access"

  policy = <<EOF
  {
      "Version": "2012-10-17",
      "Statement": [
          {
              "Sid": "",
              "Effect": "Allow",
              "Action": [
                  "sts:AssumeRole"
              ],
              "Resource": [
                  "arn:aws:iam::*:role/OrganizationAccountAccessRole"
              ]
          }
      ]
  }
EOF
}

AWS Shared Credentials

In your ~/.aws/credentials file, you will need to put your access and secret keys for the management account:

[mgmt_account]
aws_access_key_id = XXXXXXXXXXXXXXXXXXXX
aws_secret_access_key = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

In your ~/.aws/config file add the following for each sub account:

[profile subaccount]
output = json
region = us-east-1
role_arn = arn:aws:iam::111111111111:role/OrganizationAccountAccessRole
source_profile = mgmt_account

Note the subaccounts need to have unique names, I recommend using the account alias if set (aws iam list-account-aliases).

Ruby Script

The ruby script aws_config.rb will write to STDOUT the above config profile settings for each created account. (Requires aws-sdk v2)

export AWS_PROFILE=mgmt_account
ruby aws_config.rb >> ~/.aws/config

AWS Console

To switch to the sub-account role, you will need to click on the "Switch Role" item in the drop-down menu under your account name at the top of the AWS console.

Dropdown Menu

Enter the Account ID, the OrganizationAccountAccessRole and useful display name in the input boxes and click "Switch Role"

Switch Role

Once configured, these will be available in the drop-down menu in your "Role History"

About

Provides roles and policies for sub-account administration

Resources

Readme

License

View license
Activity
Custom properties

Stars

1 star

Watchers

12 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages