AWS allows you to invite AWS accounts into your organization and manage them with OUs. However, AWS accounts in the same OU do not seem to have access to the same resources. It seems like the only solution is to create IAM users under a common account and create resources as the account, but then human users have to share credentials to that main account. Is there a way to allow different human users to create resources with their own credentials and never share credentials? I do not understand the value of separating accounts from IAM and it is ultimately confusing my understanding of resource management security best practices.
1 Answers
0
votes
AWS recommends that you give users access to roles in different account. As in have all your users in one "central" AWS account and then have your IAM users login to different AWS accounts using a role rather than using straight credentials. See below for an example IAM policy that you would attach to your IAM user.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "StmtXXXXXX",
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": [
"arn:aws:iam::{AccountID}:role/{RoleName}"
]
}
]}
