AWS CROSS ACCOUNT ACCESS | CONNECT OTHER AWS ACCOUNT EC2

AGENDA
We have a requirement where we need to access | use AWS EC2 instance from a different AWS account(means two different organizations). For this we need to create a role where AWS EC2 instances exist and attach an inline policy(with specific permissions) with that role. Means the role has specific permissions. Access that role from the different AWS account.

However, if you need to access resources from two different accounts(means two different users from same organizations) then IAM identity center > AWS accounts > ACCOUNT > add users under ACCOUNT > apply permissions set. Then sign-in from the link > [IAM Identity Center > AWS access portal URL] 

1- Activities at AWS account(suppose AWSaccount01) where EC2 resources exist
1.1- Role creation
1.2- Inline Policy
1.3- Permission

2- Connect the AWS EC2 resources from a different AWS account(suppose AWSaccount02)
2.1- Cross Account Access

1.1- Role Creation
Create a role and select AWS account box showing in the below snapshot. Furthermore, put the AWS account ID from where you need to access EC2 instances exist at different AWS account 

Skip the Add permission window which is showing in the below snapshot

Proceed further and let create a role without policy & permission(later we will create an inline policy for this role)

1.2- Inline Policy

Now create an inline policy. The inline policy is the policy which we create according to our need unlink the Policy which are already created

1.3- Permissions
See the below snapshot, select start and stop EC2 instances with EC2 describe and some other list permissions

Now proceed to finish

Now the inline policy is created for the role as mentioned in below snapshot

2.1- Cross Account Access

Now login from the AWS account from where you need to access AWS resources exist at different location and click on switch role

Now you will find the below windows. Provide the AWS Account(from where you are going to access the resources) and role(where the resources exist) which you created and click on Switch Role. After this you will be on a different AWS console where you only able to see the EC2 instances

Now you can see in the below snapshot that after switchover to the account which have the EC2 resources are available and ready to access and rest of other resources are restricted OR not accessible 

In the below snapshot, the instances are list able.

In the below snapshot, the instance start shows the logged-in user who just switch the account can able to start the EC2 instance

Tagged: aws, cloud, cloud-computing, devops, ec2

Posted in: Tech News