Cross-Account Manager
Cross-Account Manager


The AWS Cloud provides a scalable, highly reliable platform that helps customers deploy applications and data quickly and securely. When you build systems on AWS infrastructure, security responsibilities are shared between you and AWS. This shared model can reduce your operational burden as AWS operates, manages, and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the services operate. In turn, you assume responsibility and management of the guest operating system (including updates and security patches), other associated applications, as well as the configuration of the AWS-provided security group firewall. For more information about security on AWS, visit the AWS Security Center.

AWS Directory Service

The Cross-Account Manager solution relies on AWS Directory Service for single sign-on to the master account using existing corporate credentials. AWS Directory Service is a managed service that makes it easy to connect AWS services to your existing on-premises Microsoft Active Directory (via AD Connector), or to set up and operate a new directory on the AWS cloud (Simple AD or Microsoft Active Directory). See Prerequisites for detailed instructions.

This solution will create and manage IAM roles (CrossAccountManager-*) that you can associate with new or existing directory users and groups (via the AWS Directory Service console). Customers are responsible for creating and managing all Microsoft Active Directory or Simple AD groups and users. We recommend that you create a one-to-one relationship between each IAM role and directory group. We also recommended that you use a consistent naming convention for mapping IAM roles to your directory groups. See Step 4 for more details.

AWS KMS Encryption for Amazon S3

All files in the Amazon S3 configuration bucket are encrypted using server-side encryption with AWS KMS (S3 SSE-KMS). An AWS KMS key policy controls which IAM users are authorized to use the solution-specific customer master key (CrossAccountManager-Key) for decryption, enabling those users to upload files to the configuration bucket. By default, only IAM users with AWS KMS administrative permissions (in addition to the solution’s AWS Lambda functions) are authorized to upload the files. You can manually modify the policy to grant KMS key usage permissions to additional IAM users, groups or roles (see Appendix B for details).

Amazon SNS

Amazon SNS is used to facilitate communication between AWS Lambda functions in the master account and sub-accounts. The associated Amazon SNS topics are protected using solution-managed cross-account access control policies. We recommend that you do not modify these access control policies, and that you implement least privilege access control for Amazon SNS administration for your IAM users.

Additional Security Settings

Solution users are allowed to federate to sub-accounts using only the role that they assumed when logging into the master account. Users cannot federate to a different role in a sub-account. For example, if a user logs into the master account using a CrossAccountManager-DevOps role, that user can access only sub-accounts that are approved for the CrossAccountManager-DevOps role.

To facilitate cross-account access, the solution creates a special CrossAccountManager-Admin-DO-NOT-DELETE role in the master account and each sub-account. This solution assumes the CrossAccountManager-Admin-DO-NOT-DELETE role in sub-accounts, which has permission to modify IAM roles and policies in these accounts. We recommend reviewing master account security policies to restrict unauthorized access to the solution’s AWS Lambda functions and roles.