Gain control over multiple AWS accounts with IAM

The AWS IAM service enables managers to define authorization levels for different user groups and securely control...

Step 2 of 2:

You forgot to provide an Email Address.

This email address doesn’t appear to be valid.

This email address is already registered. Please login.

You have exceeded the maximum character limit.

Please provide a Corporate E-mail Address.
- I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.
Please check the box if you want to proceed.
- I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.
Please check the box if you want to proceed.

access to various AWS cloud resources. But when an organization uses multiple AWS accounts, each one has different resource-level permissions. Therefore, one account cannot access the other account's resources. AWS provides a cross-account access feature that enables control across multiple AWS accounts.

With the Identity and Access Management cross-account feature, administrators can grant permissions to appropriate users in each account. This enables users to draw data from its origin without replicating storage resources across multiple AWS accounts. Users then can access staging and production resources from a single console.

For example, an organization might have one AWS account for production and another for its staging environment. The IT team constructs the staging account to provide IAM users permissions, as required for their roles. Admins grant access to developers, for example, to read and write objects to all Amazon Simple Storage Service (S3) buckets, but they do not have permission to delete, create or modify attributes of the bucket itself. Testers have read access, but they do not have write access -- nor can they modify bucket attributes.

With the IAM cross-account feature, administrators can grant permissions to appropriate users in each account.

Therefore, the AWS production account doesn't have built-in IAM users or roles, which helps secure sensitive data. The staging environment needs to access certain objects, but the organization doesn't want staging account users to log into the production account. It's possible to continuously replicate production data to staging, but this increases cost and can weaken security. The cross-account access feature handles this problem.

Cross-account access for multiple AWS accounts

Authenticate staging account users to access the production account to allow them to use production resources. It's best to define permissions for IAM users in the staging environment so you can access the production S3 bucket. IAM users in the staging account then use the IAM cross-account access feature to use production resources; there's no need to create IAM roles in the production account.

Next Steps

Prepare for multiple AWS accounts in the architecture design phase

Differentiate use cases for IAM roles or users

Manage resource access with IAM permissions

Related Resources

A New Way to Look at AWS Security –AWS-Cisco
How Inovalon Uses Sophos to Control Security Costs on AWS –AWS - Sophos
Machine Learning on AWS –AWS
Software-Defined Networking on AWS –AWS - Aviatrix

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

Meet all of our AWS experts

View all AWS questions and answers

Cross-account access for multiple AWS accounts

Five AWS IAM best practices to bolster cloud security

Amazon GuardDuty

AWS Shield provides DDoS attack protection as threats mount

Use service-linked IAM roles to simplify user permissions

AWS security tools fill platform gaps

Extended duration for IAM roles appeases some, alarms others

AWS snaps up Sqrrl to strengthen threat detection, analytics

AWS security services get updates, but lack data protection

Five AWS IAM best practices to bolster cloud security

Amazon GuardDuty

Use service-linked IAM roles to simplify user permissions

AWS Artifact

AWS Shield provides DDoS attack protection as threats mount

Protect your serverless app with this mix of AWS tools

AWS security automation protects sensitive data, workloads

Restrict access to AWS region endpoints for cost savings, security

Build an AWS incident response plan in four key steps

Rotate AWS access keys to boost cloud security

AWS root account access is a treasure for attackers

AWS data security comes down to native and third-party tool choices

Test your AWS security tools knowledge

Follow this expert advice to improve security in AWS

AWS OpsWorks automates configuration security

Testing AWS cloud application security

Please create a username to comment.

Microsoft Azure Dev Spaces, Google Jib target Kubernetes woes

With progressive web applications, developers blur the lines

Web app development morphs as apps and websites merge

10 Git quiz questions to test your distributed version control skills

Meaning of inversion of control in Spring and Java: IoC explained

Ten Jenkins quiz questions to test your install and config IQ

Low-code platform leaders for business users push usability, AI

Improving testing architecture when moving to microservices

Siemens boosts low-code development play with Mendix buy

Legacy roots still hinder Oracle and IBM cloud strategies

Map application dependencies to prepare for cloud migration

Evaluate speech-to-text services from AWS, Microsoft and Google

Cross-account access for multiple AWS accounts

Next Steps

Related Resources

Dig Deeper on AWS security

Related Q&A from Ofir Nachmani

Have a question for an expert?

Join the conversation

1 comment

Register

Login

Forgot your password?

Your password has been sent to:

Please create a username to comment.