ACM.393 Mirror the AWS organizations management account but using an account to which service control policies (SCPs) will apply
In the last post I changed my SSM Parameter implementation for the root account to use my common SSM Parameter code. I also add the capability to pass in a parameter list.
Now, although I want to set up a production and non-production infrastructure at this point I have no repository accounts or repositories. Someone has to deploy them.
I could deploy them using the rootadmin in the root account service control policies don’t apply to that user because it is in the root account. What if I have to update those resources later? I must use the role in the root account the way I’ve designed my CloudFormation naming convention and permission structure where the first prefix on a stack name is [rolename-] and only the role that created the stack can modify it.
I was initially going to try to deploy the initially non-root user in the IAM account but then it’s complicated because I don’t want the IAM administrative role to be able to modify this all-powerful user or its policies. If I try to do that from the IAM account I’m going to have to create complex policies that will likely be error prone.
What if I just put the non-root user with nearly root privileges in its own account above every other account. This user uses code that’s not in a repository since there isn’t one yet in this organization anyway to do the initial deployment so it doesn’t need to be associated with a repository. In addition, this user should not be used after the initial deployment except in case of emergency.
I don’t really need an OU for a single account, unless I need to get past the 5 SCP limit per account or OU. I don’t think so. This is going to be a pretty powerful user only subject to the rules that apply to everyone in the organization (like which…