ACM.393 Mirror the AWS organizations management account but using an account to which service control policies (SCPs) will apply
Part of my series on Automating Cybersecurity Metrics. AWS Organizations. IAM. Deploying a Static Website. The Code.
Free Content on Jobs in Cybersecurity | Sign up for the Email List
In the last post I changed my SSM Parameter implementation for the root account to use my common SSM Parameter code. I also add the capability to pass in a parameter list.
Now, although I want to set up a production and non-production infrastructure at this point I have no repository accounts or repositories. Someone has to deploy them.
I could deploy them using the rootadmin in the root account service control policies don’t apply to that user because it is in the root account. What if I have to update those resources later? I must use the role in the root account the way I’ve designed my CloudFormation naming convention and permission structure where the first prefix on a stack name is [rolename-] and only the role that created the stack can modify it.
I was initially going to try to deploy the initially non-root user in the IAM account but then it’s complicated because I don’t want the IAM administrative role to be able to modify this all-powerful user or its policies. If I try to do that from the IAM account I’m going to have to create complex policies that will likely be error prone.
What if I just put the non-root user with nearly root privileges in its own account above every other account. This user uses code that’s not in a repository since there isn’t one yet in this organization anyway to do the initial deployment so it doesn’t need to be associated with a repository. In addition, this user should not be used after the initial deployment except in case of emergency.
I don’t really need an OU for a single account, unless I need to get past the 5 SCP limit per account or OU. I don’t think so. This is going to be a pretty powerful user only subject to the rules that apply to everyone in the organization (like which…
