The AWS IAM service enables managers to define authorization levels for different user groups and securely control...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
access to various AWS cloud resources. But when an organization uses multiple AWS accounts, each one has different resource-level permissions. Therefore, one account cannot access the other account's resources. AWS provides a cross-account access feature that enables control across multiple AWS accounts.
With the Identity and Access Management cross-account feature, administrators can grant permissions to appropriate users in each account. This enables users to draw data from its origin without replicating storage resources across multiple AWS accounts. Users then can access staging and production resources from a single console.
For example, an organization might have one AWS account for production and another for its staging environment. The IT team constructs the staging account to provide IAM users permissions, as required for their roles. Admins grant access to developers, for example, to read and write objects to all Amazon Simple Storage Service (S3) buckets, but they do not have permission to delete, create or modify attributes of the bucket itself. Testers have read access, but they do not have write access -- nor can they modify bucket attributes.
Therefore, the AWS production account doesn't have built-in IAM users or roles, which helps secure sensitive data. The staging environment needs to access certain objects, but the organization doesn't want staging account users to log into the production account. It's possible to continuously replicate production data to staging, but this increases cost and can weaken security. The cross-account access feature handles this problem.
Cross-account access for multiple AWS accounts
Authenticate staging account users to access the production account to allow them to use production resources. It's best to define permissions for IAM users in the staging environment so you can access the production S3 bucket. IAM users in the staging account then use the IAM cross-account access feature to use production resources; there's no need to create IAM roles in the production account.
Prepare for multiple AWS accounts in the architecture design phase
Differentiate use cases for IAM roles or users
Manage resource access with IAM permissions
Dig Deeper on AWS security
Related Q&A from Ofir Nachmani
AWS users in the US-East-1 region have seen a string of outages in the last few years. But does that mean they shouldn't deploy workloads there?continue reading
Reserved Instances save IT teams money on compute resources but lock them into a particular type of instance. How do Convertible RIs differ, and what...continue reading
We need to perform extract, transform and load processes on data, but the work is labor-intensive and error-prone. Is there an AWS tool to simplify ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.