-1

We have one person that has been in charge of all AWS resources for our company, including EC2, elastic IPs, EBS storage, etc. Now we want a second person to also have access to ALL the resources in the first persons account.

So far we have:

  • invited the second person to the Organization
  • completed the "Enable All Features" process in the organization (including both users accepting it and then finalizing it)
  • gone to the Resource Access Manager > Settings and checked "Enable sharing with AWS Organizations"

But the second person still cannot see the resources from the first person's account.

I'm sure we're just missing something straight forward, such as:

  • maybe the second person has to designate he's looking specifically at the organization's resources
  • maybe the first person needs to specifically say "share everything" somehow
  • maybe the first person needs to designate the resources in his account as Organization resources
  • maybe create some sort of resource share in the Resource Access Manager (When we checked Enable sharing with AWS Organization, it said "If you enable sharing with the accounts of your organization, you can share resources without using invitations", so we did not think this was necessary)

We've been unable to find a clear tutorial or documentation on how to accomplish this. What step are we missing? How do we set this up?

dallin
  • 109
  • 1
  • 3
  • 1
    I'm not quite clear on whether you're using [AIM](https://aws.amazon.com/iam/)? Normal flow is to have a root account (that you generally don't use) and then use AIM users for normal access. All with 2FA of course :) – Halfgaar Feb 10 '21 at 20:33
  • @Halfgaar means IAM, identity and access management – Tim Feb 10 '21 at 20:42

2 Answers2

2

This question doesn't really make sense to me. If you want a second person to have access to the AWS resources simply go into AWS IAM and create them an IAM user. Make sure you set up MFA. AWS Organisations is very useful but based on what little I understand about your question isn't relevant at all.

The first user should NOT be using the root account. Typically you create the account, set up MFA, set up IAM accounts for all users, then lock away the root credentials.

If you really do need to accounts with resources shared it really depends what you're trying to achieve. If this is the case please close this question off and ask another question that says what you're trying to achieve big picture.

AWS is a complex enterprise platform. If your organisation is going to use it you're going to need training and ideally certification.

Tim
  • 30,383
  • 6
  • 47
  • 77
  • I will look into IAM accounts. It sounds like I have a fundamental misunderstanding of the purposes of AWS organizations. What are they for, if not to share resources? – dallin Feb 12 '21 at 00:31
2

You don't need to invite the second person AWS account into your organization.

In order to grant access to the second user to the first person AWS account you have two main options:

  • create an IAM user - As suggested in the answer from @Tim you can simply create an IAM user for the second person in the first person AWS account.
  • use a cross-account IAM role - If the second person is someone outside your organization you can create a IAM role in the first person AWS account in which you can trust the second person's AWS account.
Nick
  • 341
  • 1
  • 4