from Hacker News

An AWS account just for getting into other AWS accounts

by templaedhel on 11/3/22, 12:32 AM with 103 comments

by flyinprogrammer on 11/3/22, 1:34 AM
https://aws.amazon.com/controltower/
If we all started using Control Tower perhaps they'd get funded enough to continue to build it out and make it awesome.
by scarface74 on 11/3/22, 2:08 AM
> If you wish to provide access via SSH…
Don’t do this. I can’t think of a single reason that anyone ever needs to SSH directly into a server on AWS in 2022.
Use System Manager Session Manager
https://docs.aws.amazon.com/systems-manager/latest/userguide...
Short explanation: it allows you to access a Linux instance via SSH using SSM as an IAM controlled proxy or use RDP for Windows.
You don’t need ingress access to your instance or even egress internet access if your security policies mandate it as long as you set up the correct service endpoints.
Also, just use Control Tower and federate it with your IDP - Active Directory, Okta, etc.
by tedk-42 on 11/3/22, 11:23 AM
These type of articles make me wanna quit doing anything in IT.
It's not a criticism of the author, more the current state of technology in AWS.
I'd really like to have just 1 AWS account where I can see and do everything there and not keep switching and think about account IDs or which account has what S3 bucket/server whatever.
by epberry on 11/3/22, 4:22 AM
Very nice write up. As a billing guy I especially liked the tip about using resource policies to enable cross-account access and save on KMS request costs.
There's one issue with companies using hundreds of AWS accounts if you're a vendor to them: integrating services. Some folks here may be interested in a technique called "CloudFormation StackSets" which can deploy bits of infrastructure to multiple AWS accounts in one command. Vantage uses this to setup our billing integration and we wrote up the method here, https://www.vantage.sh/blog/using-cloudformation-stacksets-t...
by throwawaaarrgh on 11/3/22, 4:37 AM
For an IdP it seems like Dex combined with an LDAP server would be the simplest and most flexible solution. For reliability, I'm curious about throwing together a really simple LDAP server that stores records in AWS S3. That way your IdP can be trivially replicated with as much reliability as you want and nearly no maintenance. (Dex's storage can be Etcd, but I would also look to implement S3 storage)
by medina on 11/3/22, 2:39 AM
Re-discovering Active Directory Enhanced Security Administrative Environment (ESAE) / Red Forest design, in cloud :-)
by albert_e on 11/3/22, 11:49 AM
> Don’t do this! Any principal in your management account, by default, is able to assume the OrganizationAccountAccessRole in each and every one of the accounts created using the organizations:CreateAccount API.
I should note that if you use AWS Control Tower Account Factory to create the member accounts then this role does not get created.
The "Audit" account that is created by Control Tower is probably the best one to serve as the Administrative Access Account
by ManuelKiessling on 11/3/22, 8:08 AM
Very similar, but with visualizations of how things integrate with each other, and concrete code examples: https://manuel.kiessling.net/2020/12/29/single-sign-on-and-r...
by benatkin on 11/3/22, 2:10 AM
What's this like on Google Cloud? Would you create a project to get into other projects and would that achieve most of what this achieves? And would you use a GSuite address so you don't log into the console just by logging into the email?
by diceduckmonk on 11/3/22, 4:29 AM
What tool do people here use to search across AWS accounts?
Disclaimer: we are building a search engine to search for resources across “workspaces”. In AWS, this unit is the Account. In GCP, this unit is the Project.
by pkrumins on 11/3/22, 2:21 AM
I have 1 AWS account for everything and th
by gh0stcloud on 11/3/22, 11:49 AM
the fact that this is probably good practice just shows how ridiculously confusing AWS is