Redesign of a Client-Server Architecture

Question

Hello, Our current client-server architecture is for each client there is a separate AWS account and for the server, one account is there. Each client account has an EC2 instance running a web application which is connected through an AppSync. Each client calls their own AppSync and other AWS services hosted in their individual accounts. Separate accounts are created since these clients have confidential information to be stored in RDSs, etc. Is there a way to use a centralized AppSync but have to navigate to each account depending on the user? Or any other suggestions to improve the architectural design?

Answer

Hello,

* Utilize AWS Organizations for centralized management of client accounts and enable Single Sign-On (SSO) through either AWS SSO or Cognito. Each client's web application can then assume a role within their respective accounts to initiate API calls to backend services hosted in a centralized "server" account. These services include AppSync, RDS multi-AZ cross-region read replicas, S3, and others.
* Another suggestion would be to configure AppSync to use IAM roles to authenticate and authorize access to the backend AWS resource

Thanks

Redesign of a Client-Server Architecture

関連するコンテンツ