- Newest
- Most votes
- Most comments
Hi
Andrew here from AWS Premium Support.
I believe you are looking for a multi-tenant setup. In your case you will have multiple Organizations "tenants", with users accessing these different organizations within your application. You would like to assign your users different permissions via roles, when accessing different organizations.
You can find an overview of muti-tenant authorization within AWS Verified Permissions here [1].
Here you can find some architectural guidance when it comes to multi-tenant environments [2]. This includes how to onboard tenants, and tenant users, as well as comparing the two approaches to managing policy stores "Per-tenant vs Multi-tenant".
This blog post also covers real world scenarios and provides examples of how to implement a "per-tenant" policy store and ensure tenant permissions are isolated from each other [3].
Using the strategies outlined in the above articles and blogs, I believe you will be able to develop a system whereby your users are registered to tenants (which align with different organizations) and then are assigned permissions based on their roles in those organizations.
References
Yes, in AWS IAM (Identity Access Management) can allow a user to assume multiple roles across different AWS accounts. This is a common practice in AWS environments to manage permission and access control efficiently.
here is how it works:
- Role Assumption: An IAM user can be granted permission to assume roles in one or more AWS accounts. This is done by setting up trust relationships between the accounts. When a user assumes a role, they temporarily gain the permissions associated with that role.
- Cross-Account Access: To allow a user to assume a role in a different AWS account, you need to configure a trust relationship in the role's permissions policy in the target account. This policy specifies which users or roles from the source account are allowed to assume the role.
- Multiple Roles: A single IAM user can be authorized to assume multiple roles, whether within the same account or across different accounts. The user can switch between these roles as needed to perform different tasks, each with its own set of permissions.
- AWS Management Console: Users can switch roles using the AWS Management Console, AWS CLI, or AWS SDKs. This flexibility allows users to access resources across different accounts without needing separate credentials for each account.
Thanks for the references. From what I read multi tenancy may not suit our needs. We are exploring using a model like the one in this article: https://aws.amazon.com/blogs/security/how-we-designed-cedar-to-be-intuitive-to-use-fast-and-safe/
So our base schema is highly generic with entities like (user,group,enterprise) with user having Group as parents. One of policy would be like that: POLICY permit( principalinDC2::Group::"companyY/admin", action== DC2::Action::"EditCompany", resource== DC2::Entreprise::"CompanyY") when{ true };
Is it seems ok?