7

This question may seem noobish, but I am pulling my hair out with our AWS organization. We have 3 separate root accounts connected in a single organization with IAM accounts and policies. We can only see instances from the default root account in the EC2 list (yes I am looking in the correct region). We have shared full account access across all of the others accounts and accepted the invitations. Our billing works perfectly, and funnels from our main root account (and I can see billing of the other separate accounts fine). Even our highest level of admin (literally a grant permission to everything) cannot see instances launched from one of the separate root accounts.

Our goal is our admin group should see EC2 instances from all 3 root accounts in the organization without switching accounts or credentials.

I know this has to be possible, but I have spent at least 2 hours and have not gotten far. Any suggestions on how to achieve this?

vizon
  • 343
  • 4
  • 19

2 Answers2

8

There are some terminology issues here. There are no root accounts or main root accounts in AWS Organizations. There is one management AWS account and there are zero or more member AWS accounts.

The term root refers to an AWS Organizations construct within the management account that is the parent container for all of the member accounts in your organization. See AWS Organizations Terminology and Concepts for more.

There are two ways to 'join' a member account to an organization:

  1. an admin in the management account creates a new member account
  2. an admin in the management account invites an existing account to become a member

If you use option #1, administrative control over the member account is automatically provided for you through an auto-created IAM role called OrganizationAccountAccessRole that you can use to grant users in the management account administrator access to the created member account.

If you use option #2, you do not automatically have full administrator control over the member account. If you want the management account to have full administrative control over an invited member account, you must create the OrganizationAccountAccessRole IAM role in the member account and grant permission to the management account to assume the role. To configure this, after the invited account becomes a member, follow the steps in Creating the OrganizationAccountAccessRole in an Invited Member Account.

jarmod
  • 71,565
  • 16
  • 115
  • 122
  • I have my accounts now set up to allow switching of accounts the way I want. However, my issue now is I have two roles for the same trusted accountid, admin and developer. How do I add a condition to the role on the additional account to verify a group is present? I dont want a developer getting the role name of the admin group and automatically getting access. I saw a way to limit by user id, but I don't want to edit the role for every new developer. Surely there is another way? – vizon Jan 28 '19 at 16:35
  • Not sure what you mean by verifying that "a group is present" (do you mean that the user is a member of the admin IAM group?), but generally the way you prevent someone from leveraging an IAM role is to simply not give them permission to assume that role (or explicitly deny them permission to assume the role e.g. https://stackoverflow.com/questions/42644592/allow-selected-iam-users-to-switch-role). – jarmod Jan 28 '19 at 16:44
  • Yes, I wanted the account authorizing the relationship to deny based on a permission outside of username. I was able to resolve this on both the main AWS account and the child account, but I do not know how I would do this if I was sharing my account with a vendor, for example – vizon Jan 28 '19 at 23:26
  • Is there a way to automatically add the roles to the user account, so my developers dont have to click the link every-time they clear their cookies (or save the switch role information)? – vizon Jan 28 '19 at 23:27
  • When you provide a third-party (e.g. vendor) access to your account, *you* are in control. You create an IAM role specifically for that use case, with only those permissions that you want the third-party to have. When it comes to cookie clearing, one option might be to use a smart cookie manager than can retain cookies from the AWS console. – jarmod Jan 29 '19 at 00:29
  • 1
    @jarmod Note that the terminology has changed. It's now called `management account` and `member accounts`. – MEMark Sep 26 '22 at 05:41
  • 1
    @MEMark thank you, I have updated the answer to use the current term. – jarmod Sep 26 '22 at 10:58
  • there's a Root user, used for payments and such. Admin account can't by default make payments. AWS just gave me an error message to signin as the root user to make payments. – nullsteph Jun 22 '23 at 01:44
7

@jarmod's answer provides a good overview of the terminology. I don't think it addresses your visibility problem.

Your assumptions appears to be that the master account of the organization should be able to directly see all resources of all accounts within the organization in its AWS console or via the API. That's not correct.

The resources in the accounts are generally still separated (allthough some things can be shared, but that's another matter), but you can change into these accounts by assuming a role in the accounts and then you're able to see the resources - this is what @jarmod is describing. After you changed into the accounts, you'll be able to see all resources within that respective account.

To learn more about organizations and their capabilities, here are some helpful links:

Resources within an AWS Account logically belong to that account and not to its organization.

Maurice
  • 11,482
  • 2
  • 25
  • 45
  • so is it accurate understanding... same question with different direction... 1) that there is no way for the master account console view to see all of the resources that it's users have provisioned. Instead the master has to switch into these separate accounts? (master access/sees user account resources) 2) If the master account creates a resource say an RDS and also creates an admin IAM user the admin IAM user will not see the RDS that the master created? (user account access/sees master resources) – John Drinane Nov 25 '19 at 00:07
  • There is 'no way' using only the AWS console. There are many 3rd party AWS management apps that provide features of this sort (including seeing consolidated cross-region resources). – DALDEI Oct 21 '20 at 18:21