blob: 6e45aa4044b612d9bfc7a18c865ceefad4d60351 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
|
# Account setup notes
## Initial setup
### Creating the initial management account and initial configuration
Opening an account requires a credit card and a phone number.
Go to "IAM Identity Center" and enable it in your preferred region.
This enables AWS Organizations and creates a `Root` OU that contains the management account.
By default, this uses an internal "Identity Center directory".
Alternatively, you can integrate with an external identity provider.
(TODO: using SAML?)
Create an `Admins` group.
Create an `admin` user, adding the user to the `Admins` group.
Create a predefined permission set with the `AdministratorAccess` policy.
Go to multi-account permissions, AWS accounts, select the management account and click "assign users or groups".
Assign the `Admins` group with the `AdministratorAccess` permission set.
Note the "AWS access portal URL", users use this URL to log in.
### Setting up the `admin` user
Depending on how you created the user, you create the password by following an email link or you receive an initial password.
You have to set up MFA.
When the user signs in, they are redirected to the AWS access portal.
An account tab displays the AWS accounts that the user can access.
Expand the account and click `AdministratorAccess` to access the AWS Console with full administrator access.
#### Configuring `awscli`
```
$ aws configure sso
SSO session name (Recommended): ${enter something}
SSO start URL [None]: ${the AWS access portal URL from an earlier step}
SSO region [None]: ${enter one}
SSO registration scopes [sso:account:access]: ${leave blank}
```
The `configure sso` command prints:
```
aws s3 ls --profile ${your profile name}
```
You can use this command to test access.
To log in again:
```
aws sso login --profile ${the profile name from an earlier step}
```
## First steps with AWS Organization Formation
```
npx --package aws-organization-formation -- org-formation init ${starter template yaml} --profile ${the profile name from an earlier step}
```
This command creates a `${starter template yaml}` file with the skeleton of your current AWS account structure.
## Account closure
For tests, you might want to tear down an account and start from scratch.
[Close an AWS account](https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-closing.html) says:
> Within a few minutes, you should receive an email confirmation that your account has been closed.
> If you don’t receive this email within a few hours ...
You cannot create a new account with the same account email until the account is completely removed.
(TODO: when? I deleted my account around August 19th 23:00 and I have not received it after half an hour.)
Create more email addresses or use plus addressing for faster experiments.
(Note to self: OVH "redirect" supports plus addressing.)
## References
* [AWS Organization Formation](https://github.com/org-formation) declarative management of AWS accounts
* [org-formation-reference](https://github.com/org-formation/org-formation-reference) A reference architecture which aims to provide some best practices for any AWS Organization starting out using org-formation.
* [Part 1 – Managing AWS accounts like a PRO](https://fourtheorem.com/managing-aws-accounts-part-1/)
* [Part 2 – Managing accounts using IaC with OrgFormation](https://fourtheorem.com/managing-accounts-using-iac-and-orgformation/)
|
