I work on AWS projects every day and have access to internal and customer AWS accounts. But I also manage some personal AWS accounts. They are useful for several reasons:
- I can run personal AWS applications, such as the smart home application I built.
- I can test new features, e.g. it was very helpful to learn about the CDK pipeline when it was introduced. I was able to create the accounts as suggested in the documentation. Later I was able to apply my knowledge to the customer project.
- If I have some permission issues, I can try to replicate the problem in my personal AWS accounts without any restrictions. I can try new services that are only available in organizational root accounts, such as AWS Identity Center.
Of course, I want to run the AWS account in a secure and convenient way. So I decided to manage the accounts as described in this article.
Account structure and AWS Organizations
Like a business, I created an AWS organization to manage my accounts. I'm using these accounts:
- Root account, which owns the organization
- Dev, Test, and Prod accounts to develop, test, and run my application
- Pipeline account, which contains an AWS CodePipeline to deploy to Dev, Int, Prod
- Sandbox account for testing new stuff (gets nuked after testing)
User management and authentication using AWS Identity Center
I'm sure AWS IAM user management was great when it first launched. Now, AWS IAM Identity Center has more features and is easier to use. For example, it provides an easy-to-use interface to access all accounts and roles. Or it has improved MFA capabilities, such as support for Apple's TouchID. That is why I chose AWS Identity Center. It is set up in the AWS Organizations root account and connects to all accounts in the organization.
When you open AWS IAM Identity Center, you can see the accounts and roles you can assume:
Temporary credentials and Leapp
AWS IAM Identity Center provides temporary credentials by default, which is a good security choice. It supports SSO integration with AWS CLI or manual download of access key, secret access key, and session token.
Personally, I prefer to use Leapp, a tool that supports secure cloud access in multi-account environments. Recently, the company behind Leapp announced the end of the commercial version. The open source version still exists and can be used.
Leapp displays all AWS accounts/roles that are configured in AWS Identity Center. If you select an account, the credentials can be used in the CLI. You can override the default profile so you don't have to pass a --profile
parameter. Or, you can configure a name profile.
Nuking the sandbox account
When I'm learning a new AWS service or testing a complex scenario, I'm not always using infrastructure as code. In this case, it takes a long time to manually clean up an AWS account and delete all (expensive) resources.
To improve this process, I use aws-nuke, which automatically deletes all AWS resources in an AWS account. Be careful with this tool. The first time I used it, it also deleted the configurations required for IAM Identity Center. So I couldn't login anymore.
aws-nuke supports filters to exclude resources that should not deleted. I created filters to exclude the IAM Identity Center configuration and resources created during AWS CDK bootstrapping. I ended up with these filters:
presets:
common:
filters:
IAMRole:
- "OrganizationAccountAccessRole"
- type: glob
value: "cdk-hnb659fds-"
- type: glob
value: "AWSReservedSSO_AdministratorAccess_"
IAMRolePolicyAttachment:
- "OrganizationAccountAccessRole -> AdministratorAccess"
- type: glob
value: "AWSReservedSSO_AdministratorAccess_ -> AdministratorAccess"
- type: glob
value: "cdk-hnb659fds-"
IAMRolePolicy:
- type: glob
value: "cdk-hnb659fds-"
IAMSAMLProvider:
- type: glob
value: "arn:aws:iam:::saml-provider/AWSSSO__DO_NOT_DELETE"
S3Bucket:
- type: glob
value: "s3://cdk-hnb659fds-assets"
SSMParameter:
- "/cdk-bootstrap/hnb659fds/version"
CloudFormationStack:
- CDKToolkit
ECRRepository:
- type: glob
value: "Repository: cdk-hnb659fds-container-assets-*"
Summary
This setup works very well for me. AWS IAM Identity Center is great for managing users and logging into AWS accounts. Leapp is very helpful when using CLI credentials. However, it's not the only option as AWS IAM Identity Center offers other options as well. I regularly use the sandbox account when testing or learning about AWS services. By deleting everything with aws-nuke, I can easily start with an empty AWS account - and of course, I don't have to pay for unused resources.