- Newest
- Most votes
- Most comments
There are some things in your question which aren't clear.
For example, you say "no one can access these [websites] even the management account". What do you mean by access? Is access "browse the website"? Is access "change the website"?
What it sounds like is that you need the following resources for each website:
- CloudFront distribution to host the website
- S3 bucket to store the static content
- API gateway for dynamic content
- Lambda functions linked to the API Gateway
These are all things that can be defined in CloudFormation and in a single template if you like. Use Service Catalog to deliver this as a template to each account so that the users can deploy it.
Configure appropriate IAM permissions so that the users cannot modify the Lambda functions - however, I'd note that this is more difficult than it seems. If the users can't modify the functions then they can't update them either. You would need to do that from your central account. Or you host the Lambda functions in the central account behind a central API Gateway.
Edit to add: In order to have only specific users browse a website you're going to need some sort of authentication mechanism. Perhaps Cognito federated with the corporate identity service and then allow access by username and group? Or perhaps using AWS SSO?
Relevant content
- asked a year ago
AWS OFFICIALUpdated 2 years ago
Browse the website