Cross-Account Manager
Cross-Account Manager

Step 4. Assign Roles to Your Directory Groups

The roles that this solution creates and manages will appear in the IAM console of the master and sub-accounts with the prefix CrossAccountManager-*. You can assign each of these roles to a group in AWS Directory Service (see Assigning a Role in the AWS Directory Service Administrator Guide). When you assign an IAM Role to a directory group, remember that any user who can modify that group’s membership will also control of who can inherit the AWS access permissions of the associated role.

You can use roles and policies to create sub-account groups by environment type (e.g., production, development), application (e.g., app1, app2), or any other permissions-based grouping that you define. For example, you can create a special role that gives members of the developer group Administrator rights in a set of development sub-accounts (see the example in Step 3).

We recommend that you use a consistent naming convention for your roles and Microsoft Active Directory or Simple AD groups, and add a unique prefix such as AWS-*. For example, if you have a CrossAccountManager-DevOps role in the master account, you can name the group you plan to assign that role AWS-DevOps.

You can also assign the solution-created roles to existing groups. For example, you would create a CrossAccountManager-DevAdministrator role that you would assign (via AWS Directory Service) to an existing Microsoft Active Directory group AWS-DevAdministrator.