帐户之间的AWS安全组 [英] AWS security groups between accounts

问题描述

我们有两个AWS帐户，一个用于开发人员，另一个用于产品.长话短说，我们在产品帐户中都有两个帐户的服务使用的单一数据库.当开发服务尝试访问prod中的数据库时，就会出现问题.当前，我们仅将开发服务IP添加到产品数据库安全组，但这已不再是一个选择.有没有一种方法可以将开发服务安全组添加到生产数据库安全组(跨帐户)?

解决方案

只要CIDR彼此不冲突且它们位于同一区域，就可以跨两个帐户对等两个VPC. >

这将需要添加到各个VPC中的路由表中，并且您应检查指南有关完整的摘要，请参阅AWS Docs.从理论上讲，一旦正确路由了对等的CIDR块，就应该能够将其对等的CIDR块添加到数据库的安全组中(从理论上讲，因为我从未真正做到这一点，所以我知道它应该存在).

We have two AWS accounts, one for dev and another for prod. Long story short we have a singular database used by services in both accounts which is in prod account. The problem arises when dev services try to access database in prod. Currently, we just add dev services IPs to prod database security group, but that's no longer an option. Is there a way to add dev services security group to prod database security group (cross account)?

解决方案

It's possible to peer the two VPCs across two accounts so long as the CIDRs don't conflict with each other, and they are in the same region.

It will require to add to your route tables in the respective VPCs, and you should check the guide on AWS Docs for a full rundown. Theoretically, you should then be able to add the peered CIDR block to your security group for your database once they are routed correctly (I say theoretically because I've never actually done this, I just know that it's supposed to exist).

这篇关于帐户之间的AWS安全组的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！