3

How can I access the AWS Landing Zone core accounts after creating an AWS Landing Zone?

This is what I have done so far:

  1. Deploy the AWS Landing Zone based on the AWS Landing Zone initiation template
  2. Let the CodePipeline execute the aws-landing-zone-configuration.zip file
  3. I can see that the shared service, the security and the log archive account has been created and added to the core OU when I look at the AWS Organization in the console

Of course, since I created the accounts, I know the root email address and I can use it to reset the root password, but that is beside the point.

matsev
  • 32,104
  • 16
  • 121
  • 156

3 Answers3

0

You can Switch Role to the other core accounts assuming the OrganizationAccountAccessRole. Landing Zone doesn't allow this by default, so you'll have to set that up.

Paco
  • 161
  • 1
  • 7
  • Can you please elaborate on what changes I have to do to the Landing Zone? – matsev Feb 18 '19 at 07:43
  • Sorry that I wasn't clear enough. I meant to say that cross-account access is not something LandingZone offers by default. To get that, you have to devise your own solution. One possible solution would be to set up the `OrganizationAccountAccessRole ` role as described in https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html – Paco Feb 19 '19 at 00:12
0

The AWS Landing Zone is deployed into the AWS Organizations account. When you first create the Landing Zone stack from the latest Landing Zone initiation template, you must supply various input parameters, including the primary email addresses for the core accounts that the landing zone creates, namely:

  1. Log Archive account (LoggingAccountEmail)
  2. Security account (SecurityAccountEmail)
  3. Shared Services account (SharedServicesAccountEmail)

From the Landing Zone CloudFormation template for more details:

Metadata:
  AWS::CloudFormation::Interface:
    ParameterGroups:
    - Label:
        default: Landing Zone Core Account Configuration
      Parameters:
      - SharedServicesAccountEmail
      - LoggingAccountEmail
      - SecurityAccountEmail
      - NestedOUDelimiter
      - CoreOUName
      - NonCoreOUNames
      - SecurityAlertEmail
      - LockStackSetsExecutionRole
      - SubscribeAllChangeEventsEmailToTopic
      - AllChangeEventsEmail

When the Security, Log Archive or Shared Services core accounts are created, AWS Organizations initially assigns a password to the root user for each core account that is a minimum of 64 characters long. All characters are randomly generated with no guarantees on the appearance of certain character sets.

You can't retrieve this initial password.

To access the account as the root user for the first time, you must go through the process for password recovery.

See here for more information.

Ultradoxx
  • 668
  • 7
  • 14
  • Thanks. As I described in the last sentence of my question, I am aware of the password recovery / password reset option. I was looking for other solutions that do not involve the root email addresses. – matsev May 27 '19 at 08:22
  • Sorry, I missed your last sentence! But just to be clear, why do you say that "is beside the point". It's the only way you can access the core accounts. Once you've reset the password, you can log on to these created core accounts, create new users, etc., and then connect any way you like as with any new AWS account. Am I missing something? – Ultradoxx May 28 '19 at 17:34
  • What I think @matsev means (and I was expecting the same thing) is that a LZ setup already defines a way (IAM role) for the admin to switch to these accounts. Going through a root account email reset seems very odd. Plus (as suggested in the other answer) a custom implementation of a role to switch. – Federico May 22 '20 at 02:19
0

In the AWS landing zone user guide on page 5 under “Security Account”, there is written a way for a security account IAM users to utilize the switch role to two existing roles deployed via AVM:

The Security account creates auditor (read-only) and administrator (full-access) cross- account roles from a Security account to all AWS Landing Zone managed accounts. The intent of these roles is to be used by security and compliance teams to audit, such as hosting custom AWS Config Rule lambda functions, or perform automated security operations, such as perform remediation actions.

I have tried to utilize these roles but unfortunately haven't been able to set up assume policy, as by default trusted entity has been set to be the arn of the same role defined in the security account. I am not able to switch to this local role in the security account as I can not change permissions on this role probably due to preventive guardrails. So I guess we need to either customize it in the ALZ CFN templates or do some hack with this preventive guardrails. I can not believe that AWS promote this feature in their user guide and that it doesn't work out of the box. Does somebody has any experience with this? I will provide more specific details as soon as I am near access to my AWS environment. I know that this does not provide complete solution to this question, and that it may be completely different question, but I think that it can provide a hint to the solution, so I made a post here to engage more activity toward the solution.

Update:

The names of those two roles are:

  • AWSLandingZoneAdminExecutionRole
  • AWSLandingZoneReadOnlyExecutionRole
bkalcho
  • 309
  • 2
  • 11