Menu
Cross-Account Manager
Cross-Account Manager

Overview

Amazon Web Services (AWS) offers a variety of services and features that allow for flexible control of cloud computing resources and the AWS accounts managing those resources. These options are designed to help provide proper cost allocation, agility, and security, and can be enhanced when using a multiple-account structure. When structuring multiple accounts, some customers choose to implement an identity-based access-control strategy between those accounts. AWS provides out-of-the-box federation capabilities from AWS Identity and Access Management (IAM) using cross-account roles. AWS customers can use IAM roles to establish trust relationships between a trusted account that contains users who need access to a resource and a trusting account(s) that owns that resource. Account administrators can configure permissions for IAM users in a trusted account to allow them to switch roles and access a trusting account. AWS provides additional federation capabilities from AWS Directory Service (which supports federation from Microsoft Active Directory, Simple AD, and AD Connector), or from existing identity stores using SAML 2.0, which can be used in conjunction with cross-account roles.

To help customers configure an identity-based security structure for their AWS accounts, AWS offers the Cross-Account Manager solution. The solution simplifies cross-account access in the AWS Management Console and leverages AWS Directory Service for authentication using existing Microsoft Active Directory credentials. The Cross-Account Manager automatically manages the IAM roles and permissions necessary to give federated users and groups access to multiple AWS accounts, and removes the need to manually provision cross-account roles and IAM credentials. The automated reference implementation deploys a serverless architecture and also creates a webpage with user-friendly links for role-specific access to each managed sub-account.


      Cross-Account Manager solution overview

Note

This solution uses AWS Directory Service, which does not leverage SAML for direct federation to AWS accounts. Therefore, this solution may not be the best fit for customers with existing SAML infrastructure.

This guide provides infrastructure and configuration information for planning and deploying the Cross-Account Manager solution. The information in this guide assumes professional working knowledge of IAM roles and policies, Microsoft Active Directory, and AWS Directory Service.

Cost

You are responsible for the cost of the AWS services used while running this solution. As of the date of publication, the cost for running this solution with default settings in the US East (N. Virginia) Region is approximately $5 per month, or less if you have Amazon DynamoDB, Amazon Simple Notification Service (Amazon SNS) or AWS Lambda free tier monthly usage credit.

This cost estimate assumes that the primary purpose of the master account is to manage federation to sub-accounts. If you use the master account to run other Amazon DynamoDB workloads that exceed the free tier limit, the cost of running this solution will increase to approximately $20 per month.

Note

The above estimate does not include costs incurred from AWS Directory Service, which is a required component to manage user authentication and single sign-on in this solution. See AWS Directory Service Pricing for detailed pricing information. For more information on this requirement, see Prerequisites.

Prices are subject to change. For full details, see AWS Pricing and the pricing webpage for each AWS service you will be using in this solution.

On this page: