Cross-Account Manager
Cross-Account Manager

Architecture Overview

Deploying this solution with the default parameters builds the following environment on the AWS Cloud.

        Cross-Account Manager on the AWS Cloud.

Figure 1: Cross-Account Manager solution architecture

The solution includes two AWS CloudFormation templates: one template to deploy in the master AWS account that is used as the entry point for all users; and another to deploy in each sub-account that the solution will manage for cross-account access. The master account template deploys the majority of the solution components, while the sub-account template deploys an AWS Lambda function that configures the roles necessary to grant access to that account.

The master AWS CloudFormation template creates two Amazon Simple Storage Service (Amazon S3) buckets in the master account: one is a configuration bucket that holds sub-account configuration files (account, role, and policy information); the other is an access-link bucket that hosts the solution’s static webpage, which contains user-friendly links to access the managed sub-accounts.

The solution creates an AWS Key Management Service (AWS KMS) key and policy that controls administrator access to the S3 configuration bucket. By default, the key policy grants the solution’s AWS Lambda functions in the master account permission to use the key, and also allows designated IAM users with AWS KMS administrative permissions to manage this key (see Security for more information).

The solution relies on AWS Directory Service for user authentication to the master account, which must be managed independently of this solution (see Prerequisites for more information).

When the Administrator uploads a file with new sub-account, role, or permissions policy information to the Amazon S3 configuration bucket, it triggers an AWS Lambda function in the master account. The function processes the data, stores it in Amazon DynamoDB, and then initiates a series of other Lambda functions and Amazon SNS messages to configure the roles necessary to establish cross-account access.

For each new sub-account and role combination provisioned, the solution automatically adds an access link to the end-user webpage in the Amazon S3 access-link bucket. The solution’s Amazon DynamoDB tables offer a centralized view of all accounts, roles, and links that it manages.

For detailed information on each of these components, see Appendix A.