Menu
Cross-Account Manager
Cross-Account Manager

Appendix A: Component Details


            Cross-Account Manager solution: component process flow

Figure 2: Cross-Account Manager component process flow

Amazon S3 Buckets

The solution creates two user-defined Amazon Simple Storage Service (Amazon S3) buckets:

The buckets have versioning enabled by default.

  • The configuration bucket contains sub-account and role definitions (in YAML format), and also permissions policies (in JSON format). By default, the solution’s AWS KMS policy only allows IAM users with AWS KMS administrative permissions to upload objects to the configuration bucket. We recommend updating the solution’s key policy to authorize specific IAM users, groups, or roles to use the solution’s key to upload configuration files to this bucket (see Appendix B for more information).

  • The access links bucket hosts the solution-managed, static webpage containing a list of URL shortcuts that allow users to switch roles and access each sub-account.

Amazon SNS Topics

The solution deploys three Amazon Simple Notification Service (Amazon SNS) topics:

  • The Account topic is deployed in the master account but accessed from the sub-accounts. This topic sends a message to indicate when a new sub-account should be added to the solution.

  • The Role topic is an internal Amazon SNS topic in the master account to facilitate role creation and deletion in sub-accounts. It triggers the Role event-handler AWS Lambda function to perform the role-related tasks in sub-accounts (see the next section).

  • The AccessLinks topic is an internal Amazon SNS topic that updates the access link webpage whenever a new account or role is added or removed.

Master Account AWS Lambda Functions

File Handler Functions

Each time the Administrator uploads an account or role file to the Amazon S3 configuration bucket, it triggers one of the solution’s file handler functions, which parse, validate, and process the data:

  • The New-Account file handler grants permission for the sub-account to publish messages to the Account Amazon SNS topic in the master account.

  • The New-Role file handler adds or removes the IAM roles or permissions policies from the master account. The New-Role file handler also publishes messages to the Role Amazon SNS topic with the sub-account ID and the role or permission to add or remove.

Note

Unlike new account and role files, new policy files do not trigger any AWS Lambda functions when uploaded to the configuration bucket.

Event Handler Functions

The solution uses two event handler functions to process messages from the Amazon SNS topics:

  • The Account event handler subscribes to the Account topic. When it receives a new account message, it publishes any existing role(s) and related policies to the Role topic (which will then be pushed to the sub-account).

  • The Role event handler subscribes to the Role topic. When it receives a message to add or remove a role and policy, it uses a temporary AWS Security Token Service (AWS STS) Administrator token (using the CrossAccountManager-Admin-DO-NOT-DELETE role) to add or remove roles in the sub-account.

Anytime a new sub-account and role is provisioned, the Access-Link handler function is triggered. This function updates the solution’s webpage with the access link for the sub-account and role.

Sub-Account AWS Lambda Function

The sub-account AWS CloudFormation template (aws-cross-account-manager-sub.template) deploys a custom resource AWS Lambda function. This function creates a special CrossAccountManager-Admin-DO-NOT-DELETE role with the minimum set of IAM permissions required to add or remove IAM roles and permissions policies in the sub-account. By default, only the Role event handler in the master account can assume the CrossAccountManager-Admin-DO-NOT-DELETE role.

When the AWS CloudFormation stack launch is complete in a sub-account, the function publishes a message to the Account Amazon SNS topic to indicate the account is ready to be managed. Similarly, the function publishes a message to the Account topic upon stack deletion to indicate a sub-account is no longer available to be managed by solution.

Amazon DynamoDB Tables

The solution creates three Amazon DynamoDB tables:

  • The CrossAccountManager-Accounts table stores account-related data (AWS account ID, email, account group, and account status) each time the Administrator uploads a new account file. The account status changes from pending to active once the sub-account AWS CloudFormation stack is created and ready to be managed. It changes to deleted when the stack is deleted.

  • The CrossAccountManager-Roles table stores role-relation information (role name, policy, role status). The role status is active when a new role is created and deleted when the role is removed.

  • The CrossAccountManager-Account-Roles table stores the status of account ID and role combinations (account ID, role, status) that the solution manages. The status is pending while the new role is being provisioned in the sub-account. It changes to active when the role is provisioned successfully and deleted when the role is removed from sub-account.

IAM Roles

The solution automatically creates AWS Identity and Access Management (IAM) roles that grant least privileges to the AWS Lambda functions in the master account and sub-accounts. All IAM roles that this solution manages are prefixed with CrossAccountManager-* for easy identification and filtering.

The solution creates a special CrossAccountManager-Admin-DO-NOT-DELETE role in the master account and in each sub-account. This role facilitates IAM-related changes from the master account.