Managed AWS Account
| What will I learn? | In this tutorial we will; bring a newly provisioned AWS account under active management, enable security automation to protect the root user account and provision some initial roles with permissions that map to the duties most commonly found in enterprise organizations |
| Difficulty |
What you'll need
Software & Services
- An AWS User or Role with administrator permissions to provision the resources AWS AdministratorAccess
- An active BLOX from BLOX Intro and Load some AWS credentials
- Optional: Google Identity Provider. However, if not wanted to use Google IDP, we also offer the feature
simple_access.
Permissions & Access
AWS provide an existing AdministratorAccess IAM Policy that covers all of the permissions needed for this tutorial. You can simply attach this AWS provided IAM Policy to your existing IAM user, group or role.
Google Identity Provider (Optional)
The steps to create a Google IDP are described in Creating IAM SAML identity providers AWS documentation. Other Identity Providers are supported and described in the link documentation.
Pattern Resources
There are several resources to be provisioned when utilizing the AWS Enterprise Managed Organizational module. The resources to be created will vary according to the features enabled.
Pattern features
There are several configurable changes in the AWS Enterprise Managed Organizational module that are exposed to the user as features that can be enabled or disabled via boolean true or false flags. The toggling of these features are intended to be non-disruptive to existing resources in the AWS account.
Feature: Federated Access
enable_federated_access: true
federated_access_name: OrgName-GSuite-IDP
- Enables federated access to AWS account. Enabling this feature requires federated access name to be provided.
Feature: Simple Access
enable_simple_access: false
- Enables simple access to AWS account.
Feature: Root login detection
enable_root_login_detection: true
- Enables root login detection to AWS account.
root_login_detection_detection_email:
- "[email protected]"
- "[email protected]"
- Subscribes the e-mails to root login alarm. If not provided, SNS subscription is ignored.
Feature: Default Resources Tagging
autoprovisioned_resources_tagging: true
- Enables default resource tagging on current region (VPC and subnets).
Tutorial
We will provision the terraform-aws-enterprise-managed-org-account module which brings basic management controls for an AWS Account intended for use in large organizations. This tutorial also makes use of one of the built-in tools available in BLOX tf, which allow us to perform the API calls to the AWS services and provision the desired resources via Terraform.
Bring the AWS account under management
In the guide below we will refer to the Enterprise Managed Organizational Account module and its resources. We will also benefit from our tool BLOX to utilize built-in tools like git and terraform to perform the repository cloning and provisioning operations.
Clone the Enterprise Managed Organizational Account reference sample
BLOX❯git clone https://gitlab.com/where/my/repo/is/terraform-aws-enterprise-managed-org-account.gitUse the example in the module code to create the initial
tfcode for the new enterprise accountBLOX❯cp -Rv terraform-aws-enterprise-managed-org-account/examples \
aws-enterprise-managed-org-account-123456789012-eu-west-1
mv aws-enterprise-managed-org-account-123456789012-eu-west-1/example-configuration.yml \
aws-enterprise-managed-org-account-123456789012-eu-west-1/aws-enterprise-managed-org-account.ymlModify the TF module definition to specify the correct module version and YML config file name. It is advised to always include a tag
BLOX❯module hub_example {
source = "git::https://gitlab.com/where/my/repo/is/terraform-aws-enterprise-managed-org-account.git?ref=v1.4"
configuration = "./aws-enterprise-managed-org-account.yml"
}Modify the configuration YAML file to correctly reflect the target state for the enterprise account
Resource Tagging
# These tags are added to everything that supports tags
default_tags:
Workload: "Basic management controls for an AWS Account intended for use in large organizations"
BusinessUnit: "IT"
Lifecycle: "Development"
# These tags are added to resources that are likely to require tracking and correlation,
# intended for use with a CMDB and are applied to all resources that operate as instances (EC2
# VMs, RDS, ELBs, ALBs) rather than constructs (VPCs, SGs, NACLs)
default_ci_tags:
WorkloadID: "IF1234-T001"Account configuration
account_config:
# Account name to be inserted in IAM groups/roles
account_name: "Hestio"
# Account alias to provide descriptive details about the account name
account_alias: "Hestio"
# Resource prefix to be applied in multiple resources
resource_prefix: "Prod"
# Enables federated acccess to AWS account. If set to true, simple access must be set to false
enable_federated_access: "true"
# Enables simple access to AWS acccount. If set to true, federated access must be set to false
enable_simple_access: "false"
# Enables root login detection to AWS account. If set to true, CloudWatch Alarm and SNS
# notification will be created
enable_root_login_detection: "true"
# Define number of days to retain logs in CloudWatch log group specified in CloudTrail
cloudtrail_cw_log_retention_days: 14
# If root login detection is set to true, it is recommended to specify an e-mail to be
# notified when root account logins
root_login_detection_detection_email:
- "[email protected]"
- "[email protected]"
# AWS account SAML name
federated_access_name: "OrgName-GSuite-IDP"
# Default resources tagging
autoprovisioned_resources_tagging: "true"
Prepare the stack for provisioning and provision the AWS Enterprise Managed Organizational Account
BLOX❯tf default 1.3.9
tf init
tf plan -out=manage.planReview the resources that are about to be provisioned and make sure they are in-line with the expectations:
BLOX❯Plan: 41 to add, 0 to change, 0 to destroy.
Saved the plan to: manage.planBegin provisioning the AWS Enterprise Managed Organizational Account
BLOX❯tf apply manage.plan
Login to AWS via SSO from your Google IDP
Having successfully configured the Google IDP for seamless login into your AWS account and provisioned the Enterprise Managed Organizational module, it is now time to venture into AWS. Let us embark on this journey by logging in there.
Access the URL provided by Google IDP (ie.
https://accounts.google.com/o/saml2/initsso?idpid=example123456)Select the account to login and click
Sign in.
Screenshot: Google IDP
Example Configurations
- Simple IAM Users & Groups
- SSO with GSuite IDP using IAM Roles
- Complete
account_config:
# Account name to be inserted in IAM groups/roles
account_name: "Hestio"
# Account alias to provide descriptive details about the account name
account_alias: "Hestio"
# Resource prefix to be applied in multiple resources
resource_prefix: "Prod"
# Enables simple access to AWS acccount. If set to true, federated access must be set to false
enable_simple_access: "true"
# Enables root login detection to AWS account. If set to true, CloudWatch Alarm and SNS
# notification will be created
enable_root_login_detection: "true"
# If root login detection is set to true, it is recommended to specify an e-mail to be
# notified when root account logins
root_login_detection_detection_email:
- "[email protected]"
- "[email protected]"
account_config:
# Account name to be inserted in IAM groups/roles
account_name: "Hestio"
# Account alias to provide descriptive details about the account name
account_alias: "Hestio"
# Resource prefix to be applied in multiple resources
resource_prefix: "Prod"
# Enables federated acccess to AWS account. If set to true, simple access must be set to false
enable_federated_access: "true"
# Enables root login detection to AWS account. If set to true, CloudWatch Alarm and SNS
# notification will be created
enable_root_login_detection: "true"
# Define number of days to retain logs in CloudWatch log group specified in CloudTrail
cloudtrail_cw_log_retention_days: 14
# If root login detection is set to true, it is recommended to specify an e-mail to be
# notified when root account logins
root_login_detection_detection_email:
- "[email protected]"
- "[email protected]"
# AWS account SAML name
federated_access_name: "OrgName-GSuite-IDP"
account_config:
# Account name to be inserted in IAM groups/roles
account_name: "Hestio"
# Account alias to provide descriptive details about the account name
account_alias: "Hestio"
# Resource prefix to be applied in multiple resources
resource_prefix: "Prod"
# Enables federated acccess to AWS account. If set to true, simple access must be set to false
enable_federated_access: "true"
# Enables simple access to AWS acccount. If set to true, federated access must be set to false
enable_simple_access: "false"
# Enables root login detection to AWS account. If set to true, CloudWatch Alarm and SNS
# notification will be created
enable_root_login_detection: "true"
# Define number of days to retain logs in CloudWatch log group specified in CloudTrail
cloudtrail_cw_log_retention_days: 14
# If root login detection is set to true, it is recommended to specify an e-mail to be
# notified when root account logins
root_login_detection_detection_email:
- "[email protected]"
- "[email protected]"
# AWS account SAML name
federated_access_name: "OrgName-GSuite-IDP"
# Default resources tagging
autoprovisioned_resources_tagging: "true"
Now that you've had a look around why not check out the full documentation here.
At Hestio, we have taken our experience with designing and building on cloud to codify these patterns and made them available as a low-code pattern library for AWS. Why spend time and effort on reinventing the wheel when it's already a solved problem? Would you start developing office productivity software in a world where Microsoft Office already exists?
If you'd like to find out about worX, our low-code patterns library for AWS you can read more here or get in touch today to schedule a demo.
If you'd like to find out more about the products and services Hestio has to offer, select one of the options below.
