Cross-Account Manager
Cross-Account Manager

Automated Deployment

Before you launch the automated deployment, please review the architecture, prerequisites, and security information discussed in this guide. Follow the step-by-step instructions in this section to configure and deploy Cross-Account Manager into your account.

Time to deploy: Approximately 10 minutes, plus additional time to configure sub-accounts, roles, and policies as necessary


The solution relies on AWS Directory Service for user authentication and single sign-on to the master account using existing corporate credentials. Complete the following high-level tasks to configure AWS Directory Service for the Cross-Account Manager solution.

Configure AWS Directory Service

With AWS Directory Service, customers can set up a managed Microsoft Active Directory or Simple AD on the AWS Cloud, or they can use the AD Connector proxy service to connect to an existing on-premises Microsoft Active Directory.

  • If you are not yet using Microsoft Active Directory for user authentication and authorization, choose the appropriate implementation for your company. We recommend using AWS Directory Service to configure a managed Microsoft Active Directory or Simple AD.


    If you require a self-managed Microsoft Active Directory Domain Services (AD DS) environment, AWS offers the Active Directory DS on AWS Quick Start that helps customers deploy a new AD DS environment on the AWS Cloud or extend an existing on-premises AD DS to the AWS Cloud. This solution will work with Scenario 3 of the Quick Start, which deploys AD DS with AWS Directory Service on the AWS Cloud.

  • If you have an existing Microsoft Active Directory environment on premises, use the AD Connector proxy service to connect your directory to AWS Directory Service.

  • Enable access to the AWS Management Console for your directory users and groups. See Enabling AWS Management Console Access in the AWS Directory Service Administration Guide. You will create an access URL (e.g., for your directory members to use to access the console.

Create and Manage Users and Groups

This solution creates and manages IAM roles (CrossAccountManager-*) that you can assign to your directory users or groups. Customers are responsible for creating and managing their Microsoft Active Directory or Simple AD groups, and for assigning solution-managed roles to these users and groups as necessary.

What We'll Cover

The procedure for deploying this architecture on AWS consists of the following steps. For detailed instructions, follow the links for each step.