设计一项 AWS 服务,用于监控和控制多个不同 AWS 账户中的资源
[英]Design of one AWS service that monitors & controls resources in several different AWS accounts
问题描述
Say I have set up this service in account A, and I want it to monitor & control resources in accounts B and C. I'm planning to create IAM roles in B & C, then use STS in A to get access to the resources, like in https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html .
假设我在账户 A 中设置了此服务,我希望它监视和控制账户 B 和 C 中的资源。我计划在 B 和 C 中创建 IAM 角色,然后在 A 中使用 STS 来访问资源,就像在https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html 中一样。 I assume the service is allowed to have access to multiple different accounts at once.我假设该服务可以同时访问多个不同的帐户。 This solution is more easily scaled should I need to monitor resources in accounts E, F, G...如果我需要监视帐户 E、F、G 中的资源,则此解决方案更容易扩展...
An alternative is to deploy the service in accounts B & C, then there is no need for cross account access, but harder to scale.另一种方法是在账户 B 和 C 中部署服务,这样就不需要跨账户访问,但更难扩展。
I'm not sure which approach is better and am a beginner in AWS.我不确定哪种方法更好,我是 AWS 的初学者。 Any help appreciated, thanks.任何帮助表示赞赏,谢谢。
2 个解决方案
解决方案1
0 2021-08-01 01:50:39
Why not a user in each account with the right permissions (AWS API access, mostly read I would assume).为什么不是每个帐户中的用户都具有正确的权限(AWS API 访问,我认为主要是阅读)。 That service of yours can be living anywhere (Say Azure or your aunt's laptop) and connects with all those users to each account.您的这项服务可以位于任何地方(比如 Azure 或您阿姨的笔记本电脑),并将所有这些用户连接到每个帐户。
That way you can control access from each account without affecting monitoring of other accounts, and the service itself should be easy to maintain (add/remove users with api access to AWS).这样您就可以控制每个账户的访问,而不会影响对其他账户的监控,而且服务本身应该易于维护(添加/删除具有 AWS api 访问权限的用户)。 Should be clear who goes where, And easy to move around.应该清楚谁去哪里,并且容易走动。
解决方案2
0 2021-08-01 02:27:41
Your approach of creating an identical IAM Role in each account is good.您在每个账户中创建相同 IAM 角色的方法很好。
This is frequently done with 3rd-party services, such as a virus-scanning service since it gives them access to accounts that might belong to other companies, but permissions are limited to what was granted via the IAM Role.这通常通过 3rd 方服务完成,例如病毒扫描服务,因为它允许他们访问可能属于其他公司的帐户,但权限仅限于通过 IAM 角色授予的权限。
The approach is also much easier to manage than putting your service in each account, since it would need additional permissions to deploy, monitor and maintain those services.该方法也容易得多不是把你的服务在每个帐户进行管理,因为它需要额外的权限来部署,监控和维护这些服务。 By doing it all from your own AWS Account, you have access to everything necessary to maintain and operate your service.通过从您自己的 AWS 账户完成所有操作,您可以访问维护和运营您的服务所需的一切。
Please note that your service would call AssumeRole() , providing the ARN (Amazon Resource Name) of the IAM Role you wish to assume.请注意,您的服务将调用AssumeRole() ,提供您希望担任的 IAM 角色的 ARN(亚马逊资源名称)。 The ARN includes the Account Number. ARN 包括帐号。 AWS STS would then provide back some temporary credentials that your service can use to access resources using the permissions of that IAM Role.然后,AWS STS 会提供一些临时凭证,您的服务可以使用这些凭证通过该 IAM 角色的权限访问资源。
So, it is not quite accurate to say "I assume the service is allowed to have access to multiple different accounts at once" .因此,说“我假设该服务可以同时访问多个不同的帐户”并不十分准确。 Rather, AssumeRole needs to be called for each account 'assumed' separately, and the credentials returned will be different for each AWS Account.相反,需要为每个“假定”的账户分别调用AssumeRole ,并且每个 AWS 账户返回的凭证都不同。 So, they aren't being accessed "all at once", but rather "one per set of credentials".因此,它们不会被“一次性”访问,而是“每组凭据一个”。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.