By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Accessing other user resources with management account

0

I am the owner of the management account for my organization. However, I am unable to view or access the resources (EC2, S3, Lambda, etc) created by a user within my same organization.

  • Both accounts are in the same organization.
  • The resources are in us-east-1. I have made sure to select this region when browsing AWS services.
  • Both accounts have the FullAWSAccess SCP attached.
  • I tried enabling Tag Policies, tagging all resources with a shared tag, and creating a tag-based resource group. However, only my EC2 instance shows up when I try to create the resource group.
  • I tried using Resource Access Manager to create a new resource share. However, the wizard results in an error: "Organization o-XXXXXXXXXX could not be found."
  • I am up to date with my billing.

How do I access resources created by other accounts in my organization?

Topics
Security, Identity, & ComplianceManagement & Governance
Tags
AWS Identity and Access ManagementAWS Management ConsoleAWS Resource Access ManagerAWS OrganizationsAWS Account Management
Language
English
rePost-User-6840919
asked a year ago921 views
1 Answer
4

As the management account owner, you won't be able to directly access resources created by other accounts within the organization by default. Each account in an AWS Organization is a separate entity, and resources created within those accounts are isolated for security reasons.

To access resources created by other accounts in your organization, you can do the following:

Cross-account access: You can create a cross-account IAM role in the member account that allows access to specific resources. Then, you can assume that role from your management account to access the resources in the member account. This is the recommended approach for accessing resources across accounts within an organization. Here is a brief outline of the process:

a. In the member account, create an IAM role that allows cross-account access, with the management account ID as a trusted entity.

b. Attach policies to the role that grant permissions to the resources you want to access.

c. In the management account, create an IAM user or role with the permission to assume the cross-account role.

d. Use the AWS CLI or SDK to assume the cross-account role and obtain temporary security credentials.

e. Use those temporary security credentials to access the resources in the member account.

For a detailed guide on setting up cross-account access, please refer to the AWS documentation: Tutorial: Delegate Access Across AWS Accounts Using IAM Roles

Resource sharing: In some cases, you can share resources across accounts using AWS Resource Access Manager (RAM) or specific service sharing features. For example, you can share Amazon RDS, Amazon S3, and VPC subnets across accounts. Note that this method is limited to specific services and resources, and it doesn't provide the same level of flexibility as cross-account access with IAM roles.

for more information

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_share.html

profile picture
EXPERT
Sedat Salman
answered a year ago
  • rePost-User-6840919
    a year ago

    I'm sure this is probably the "correct" answer, but I'm beginning to believe that this is impossible. Create IAM. Create policy. Attach policy to group. Delegate group to Elastic Beanstalk. Weave Elastic Beanstalk into AWS Wickr basket.

    There is no reason for this to be so difficult.

    I don't have any IAM user groups. If I create one, I don't see how to add my own user account to the group so I can attach the cross-account policy.

    I simply have two AWS accounts under a root AWS organization, and I want to share resources.

    I appreciate your help, but I think this is where I give up.

  • rePost-User-0190152
    8 months ago

    Good answer, thanks. What about sharing domain, hosted zone and SSL certificate configured at managing account with member accounts (which need to create subdomains and reuse the same SSL certificate)? as per repost.aws/questions/QUfrJ35N49Qx6scr2c9n_z_A/share-domain-and-ssl-certificate-within-member-accounts-in-an-organization

    From managing account I can assume member accounts role (e.g: OrganizationAccountAccessRole) to create resources and such. But can these member accounts access the mentioned route53 resources from managing account? Those resources don't seem available in AWS Resource Access Manager (RAM)

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content