Hey everyone,
I've been diving into AWS for a few months now, and I'm starting to collaborate with a team of five. We're looking to implement AWS Organizations correctly. My understanding is that I can use Organizations along with Service Control Policies (SCPs) to manage the maximum roles that users can have in an Organizational Unit (OU). However, I'm at a crossroads regarding how to incorporate new users. Should I add new accounts directly to AWS Organizations, or is it better to create new users in IAM? I'm also curious about how these users inherit their roles and permissions, as well as SCPs. I'd love to hear what's worked for you!
Thanks in advance!
3 Answers
Avoid using IAM users for human access; it’s better for people to log into IAM Identity Center to get AWS account access. As for SCPs, you might need to clarify what you want to accomplish there. When you add new accounts, they should ideally be created within your AWS Organization directly. This keeps everything organized and under one management account.
Using IAM Identity Center is indeed a solid approach. For your two OU's (Prod and SDLC), yes, user identities generally need to be in one of those accounts, not the management account. To allow a user access to both environments, you'd usually declare the same identity in both. The way to set up these project accounts is typically to create a new email and account for each. It might seem odd, but it's pretty standard practice!
I feel the same way about creating new accounts. It's crucial to stick to AWS guidelines to avoid issues down the line.
You might want to check out IAM Identity Center for handling user access. It's designed for this kind of scenario. Just keep in mind that SCPs aren't really for preventing role assumption but to set limits on what actions IAM entities can perform across your organization. Think of them as a tool to manage what resources users can access, similar to a buffet selection.
Yep, I meant managing the accounts right from the Org. I think I might've confused normal IAM with the Identity options within Organizations. I primarily use SCPs to restrict certain services like blocking DynamoDB for safety. I'm trying to manage all identities from the management account for easier organization.