AWS:如何管理多个账户的身份验证 [英] AWS: how to manage authentication for multiple accounts
问题描述
我们有多个 AWS 账户(大约 15-20 个),我们管理的每个客户一个 AWS 账户,每个账户都有 VPC,有专门的实例设置.由于监管要求,所有帐户都需要相互隔离.
We have multiple AWS accounts (about 15-20), one AWS account per client that we are managing, each account having VPC having dedicated setup of instances. Due to regulatory requirements all accounts needs to be isolated from each other.
管理这些 AWS 账户的账户凭证的最佳方式是什么?以下是我的想法
What is the best way to manage account credentials for these AWS accounts? Following is what I am thinking
-对于任何新客户
- 创建一个新的 AWS 账户
- 创建 AWS IAM 角色(管理员、开发人员、tester) 用于使用 cloudformation 新创建的帐户
- 使用主AWS 帐户,承担在步骤 2 中创建的角色以访问其他帐户.
这是管理多个帐户的正确方法吗?
Is this the right approact to manage multiple accounts?
提前致谢.
推荐答案
促进 IAM 角色 是一种非常常见且(我认为)管理多个帐户身份验证的正确方法,AWS 最近刚刚发布了相应的版本.对此有很大帮助的更新,请参阅 AWS 管理控制台中的跨账户访问:
Facilitating IAM Roles is a very common and (I think) the right approach to manage authentication for multiple accounts indeed, AWS has just recently released resp. updates that greatly help with this, see Cross-Account Access in the AWS Management Console:
许多 AWS 客户使用单独的 AWS 账户(通常与 合并帐单)用于他们的开发和生产资源.这种分离使它们能够干净地分离不同类型的资源,还可以提供一些安全优势.
Many AWS customers use separate AWS accounts (usually in conjunction with Consolidated Billing) for their development and production resources. This separation allows them to cleanly separate different types of resources and can also provide some security benefits.
今天,我们通过让您在 AWS 管理控制台.您现在可以作为 IAM 用户或通过 联合单点登录登录控制台- 开启,然后切换控制台以管理另一个帐户,而无需输入(或记住)另一个用户名和密码.
Today we are making it easier for you to work productively within a multi-account (or multi-role) AWS environment by making it easy for you to switch roles within the AWS Management Console. You can now sign in to the console as an IAM user or via federated Single Sign-On and then switch the console to manage another account without having to enter (or remember) another user name and password.
请注意,这不仅适用于 AWS 管理控制台,也适用于 AWS 命令行界面(AWS CLI),正如 Mitch Garnaat 在 在 AWS 管理控制台和 AWSCLI 中切换角色.
Please note that this doesn't just work for the AWS Management Console, but also with the AWS Command Line Interface (AWS CLI), as greatly explored/explained in by Mitch Garnaat in Switching Roles in the AWS Management Console and AWSCLI.
此外,Mitch 还跟进了一个专门的新工具 'rolemodel' 来帮助设置事情与您概述的非常相似,您可能需要对其进行相应评估:
Furthermore, Mitch has followed up with a dedicated new tool 'rolemodel' to help with setting things up pretty much like you outlined, which you might want to evaluate accordingly:
Rolemodel 是一个命令行工具,可帮助您设置和维护跨账户 IAM 角色,以便在新的 切换角色 AWS 管理控制台的功能.这些相同的跨账户角色也可以与 AWSCLI 一起使用,如此处所述一>.
Rolemodel is a command line tool that helps you set up and maintain cross-account IAM roles for the purpose of using them in the new switch role capability of the AWS management console. These same cross-account roles can also be used with the AWSCLI as described here.
这篇关于AWS:如何管理多个账户的身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
