hands-on lab

Cross-account access in AWS

Difficulty: Intermediate
Duration: Up to 2 hours
Students: 666
Rating: 4.1/5
On average, students complete this lab in50m
Get guided in a real environmentPractice with a step-by-step scenario in a real, provisioned environment.
Learn and validateUse validations to check your solutions every step of the way.
See resultsTrack your knowledge and monitor your progress.

Description

Organizations opt to use multiple AWS accounts for a variety of reasons including:

  • Cost management
  • Constrain access to sensitive information
  • Reduce the impact of breaches
  • Logically grouping workloads by business units

Users and groups within one AWS account will often need to access resources in another AWS account. Instead of creating separate IAM users and groups in each account, access can be delegated to IAM users and groups in a different AWS account using cross-account IAM roles. Certain services also provide resource-based policies to allow access across accounts. This lab walks through the mechanics of configuring and using cross-account roles and resource-based policies, specifically S3 bucket policies. Policy evaluation logic is also discussed.

Learning objectives

Upon completion of this intermediate-level lab, you will be able to:

  • Understand how cross-account roles are configured
  • Assume different roles in the AWS Management Console
  • Assume different roles using the AWS CLI
  • Understand and configure Amazon S3 bucket policies in the context of cross-account access
  • Describe the policy evaluation logic flow in AWS

Intended audiences

  • AWS Security Engineers
  • Cloud practitioners
  • AWS Account Administrators

Prerequisites

Familiarity with the following is recommended:

  • Basic IAM entities (users, user groups, policies, roles)
  • Basic Amazon S3 concepts (buckets, objects)

The following content can be used to fulfill the prerequisite:

Updates

May 9th, 2024 - Resolved an issue causing validation checks to fail

September 15th, 2023 - Resolved an issue causing the build account S3 bucket to not provision

Environment before

Environment after

Covered topics

Hands-on Lab UUID

Lab steps

0 of 10 steps completed.Use arrow keys to navigate between steps. Press Enter to go to a step if available.
  1. Logging In to the Amazon Web Services Console
  2. Explaining the cross-account scenario
  3. Creating a cross-account role
  4. Uploading the deployment assets via the console
  5. Adjusting the cross-account role for the AWS CLI
  6. Uploading the deployment assets via the AWS CLI
  7. Controlling access with resource-based policies
  8. Uploading the deployment asset using bucket policy access
  9. Understanding S3 object ownership and ACLs
  10. Uploading the deployment asset with bucket owner enforced