http://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html
By setting up cross-account access in this way, you don't
need to create individual IAM users in each account, and users don't have to
sign out of one account and sign into another in order to access resources that
are in different AWS accounts.
Step 1 - Create a Role
First, you
use the AWS Management Console to establish trust between the Production
account (ID number 999999999999) and the Development account (ID number
111111111111) by creating an IAM role named UpdateApp. When you create the
role, you define the Development account as a trusted entity
and specify a permissions policy that allows trusted users to update the
productionapp bucket.
Step 2 - Grant Access to the
Role
In this
step of the tutorial, you modify the IAM group policy
so that Testers are denied access to the UpdateAPP role. Because Testers have
PowerUser access in this scenario, we must explicitly deny the ability to use
the role.
Step 3 - Test Access by Switching Roles
Finally, as
a Developer, you use the UpdateAPP role to update the productionapp bucket in
the Production account. You see how to access the role through the AWS console,
the AWS CLI, and the API.
Ques : What are the 2 policies for cross account access?
1.
Access
2.
Bucket
3.
Permissions
4.
Trust
5.
Key
Ans : Trust & Access
http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html?icmpid=docs_iam_console
At times, you need to give a third party access to your AWS
resources (delegate access). you need to define External IDs. e.g., hire a
third-party company to monitor your AWS account.
Although you could give Example Corp access to an IAM user
and its long-term credentials in your AWS account, you should choose instead to
go with the highly recommended best practice of using an IAM role.
Here's a more detailed breakdown of this scenario:
1) You hire Example Corp, so they create a unique customer
identifier for you. They give you your unique customer ID and their AWS account
number.
No comments:
Post a Comment