AWS Cross Account Access

1

AWS Cross Account Access is all about ability to access resources of one AWS account from another AWS account.

This is possible using a feature called Role Switching. A Role Switching can happen between AWS Accounts within an AWS organization or between AWS organizations.

In this article we are going to discuss switching roles between AWS accounts within a single AWS organization.

AWS Organizations

Before we go into more details of AWS cross account access, lets go in to some detail about AWS  organizations and its hierarchy.

AWS organizations helps you centrally govern your environment as you grow your workloads on AWS. As explained, it helps you to manage multiple AWS accounts within a single business. Rather than managing many accounts with many isolated set of logins and individual bills, it allows you to have a more consolidated setup with better performance. 

In a typical AWS organization, you will find a account hierarchy, some logical units and a service policy to govern each of its account. 

Master Account:
When you create an AWS Organization under the ROOT account, you basically create the Master Account. Master Account cannot be restricted. The consolidated billing, centralized logging are happening here.

Member Account:
These are AWS accounts which are created under the ROOT account, which is not a Master Account.

Organizational Unit: These are groups which you can create and assign AWS accounts to any of them. These are useful, when you want to assign certain Service Control Policies (SCPs) to all the attached account under the OU.

Service Control Policies (SCPs):
These are a type of an organizational policy that you can use to manage permissions in your organization. SCP by default, offer central control over the maximum available permissions for all accounts in your organization. Once a Member Account is created, a default IAM Role is created named as OrganizationAccountAccessRole. By default, this role has the full Admin Access privileges (FullAdminAccess).

In this article, switching account will be explained in two scenarios.

Scenario 01—
Switching to a Member Account from the Master Account within the same AWS organization with Full Admin Access using OrganizationAccountAccessRole

Scenario 02—
Switching to a Member Account from the Master Account IAM user within the same AWS organization with a customized IAM Role.

Scenario 01 —
Switching with Full Admin Access IAM Role
As explained, by default you can switch to a member account from the master account with Full Admin Access. Here, you need to use a static Role Name called OrganizationAccountAccessRole

Step 1 — Create an AWS organization (if your AWS account does not have it already). This step will create the Master Account for your AWS account.
Step 2 — Create a Member AWS account within your AWS organization.

Step 3 — Sign in to AWS Console as an admin user (you cannot do Role switching with a ROOT account) and do a role switch to the member account you created in step 2.

If all okay, you will be switched to the Member Account . The member account id you can find on the AWS organization dashboard. If you browse through the member account you can see you have been granted admin access privileges. If you want to give less privileges, you may adjust Service Control Policy for that member account and see.

Scenario 02 — Switching with less privileges

Step 1 — Sign in as the Admin user and create a IAM user (e.g. demo1).

Step 2 — Create an IAM Group with following policies attached to it.

AWS Managed Policy — Add ReadOnlyAccess

In-line Policy — (Service: STS, Actions: AssumeRole, Resources: *)

Click “In-line Policy” and use the Policy Editor to add STS Assume Role.

Once both polices added you may see the following screen  

Click Show Policy under Inline Policy and you would see this in JSON format 

Step 3 — Attach the above created group to the user demo1, which was created in step 1.

Step 4 — Do a Admin Role switch to DEMO Member Account now in order to create an IAM Role.

Step 5 — Go to IAM -> Roles -> Create Role ->Select Another AWS Account tab -> Enter the Account ID of the Master Account (From AWS Account that you are doing the Role Switching) .

Step 7 — Add permissions by clicking the Next Permissions button and add ReadOnlyAccess permission 

Step 8 — Enter a valid Role name (MemberReadOnlyAccess) and create the IAM Role 

Step 9 — From the IAM Roles dashboard, select the newly created IAM Role under step 8.

Step 10 — Click Trust Relationship tab -> Click Edit Trust Relationship tab. You will see a JSON policy like below 

Step 11 — In order to restrict this Trust Relationship only to demo1 IAM User, you need to change the AWS principle of the above JSON Trust policy. After changing the IAM user ARN, it would be visualized like below

Step 12 — If you had managed to complete all above steps without any issues, then you are set to experiment a bit further now.
Step 13 — Use Switch Role feature and now try and switch back to the IAM member account (DEMO). Use the Member Account ID and the Role (MemberReadOnlyAcces) as the one that you created under step 8

Step 14 — If all okay, you should see the new Member Account AWS console with a ReadOnlyAccess.

2

In this  section, I will be concentrating on the other aspect of cross account switching, which is role switching between two AWS accounts.

Scenario: You are required to have two AWS accounts (Account A and Account B) with ROOT user access. A user from AWS Account A should be able to access Account B resources (Lets say ReadOnlyAccess)

Step 1: Sign-in to Account A and create an IAM user (“userA”) with required permissions.

Step 2: Create an IAM Group and create two policies and attach them to the group.

Adding the AWS Managed Policy— With ReadOnlyAccess

Adding the In-line Policy — With AssumeRole

Once the ReadOnlyAccess managed policy is attached, click the group and add the in-line policy by clicking the link, which is under Inline Policies tab

Once you click the above link, you will see a Policy Generator page appeared.

Click the “Select” button under the Policy Generator, you will see the below screen  

Click “In-line Policy” and use the Policy Editor to add STS Assume Role to the Inline policy.

Select the following parameters while creating the in-line permissions

1. Select Policy Generator → Effect = “Allow” → AWS Service = “AWS STS” → Actions = “AssumeRole” → ARN = “*” → Click “Add Statement” → Click “Next Step” → Click “Apply Policy”

Once both policies are created, the group policies can be listed as below 

Click “Show Policy” under Inline Policies to check the the in-line policy we added.

Now you are required to add the user that you have created to the above IAM group in order to apply the required permissions to the user that we have chosen 

Step 3: Sign-in to Account B and create a Role (This is to connect Account A users to Account B).

Go to IAM → Select “Roles” → Click “Create Role” → Select “Another AWS Account” → Enter the 12-digit account ID (This is the Account ID of AWS Account A)→ Click “Next” and add permissions (Here you can add “ReadOnlyAccess”) → Click “Next” and give a “Role Name” and a “Description” (RoleName = “SecurityReadOnlyRole”)

Go back to “Roles” and see the newly created Role and its Permissions and Trust Relationships. Under Permissions you can see “ReadOnlyAccess” and under “Trust Relationship” you can see  the edited relationship i.e. the Trusted AWS account (Account A — Account ID)

The above configuration confirms that any user from Account A can access Account B resources on the “ReadOnly” mode.

However, if we want to restrict this access to only UserA in Account A, we should be able to do that by changing the above in-line policy by replacing the user name to “UserA”

Step 4: Now login to “userA” in AWS Account A.

Step 5: Go to “Switch Role” and enter the following details:

• Account ID (Account ID of AWS Account B)
• Role (“SecurityReadOnlyRole”)
• Display Name and Color can be anything you like

If all okay, you will be logged into Account B without using username/ password credentials and it is purely on the roles defined.

If you want, you can always go back to Account A and vice versa.

Conclusion

Role switching among AWS account is a very strong feature provided by AWS in order to govern multiple AWS account within an organization. It is matter of creating an IAM Role with a Trust relationship with an IAM user (with a policy with an STS Assume Role) in another AWS account.