By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Purpose of Delegated Account for best practices

0

I didn't understand the concept of delegating admin access to member account for certain services (Say guard duty etc.). Why is that delegation required. Generally at an enterprise level, AWS sso in management account is integrated with IDP(mostly Azure) and users/groups would be able to access the member accounts as per the permission sets and scps defined. If I gave the security account access to particular group/user in Azure AD and restricted the access to all others, what is this concept of delegation. Can anyone help me with this.

Topics
Security, Identity, & ComplianceManagement & Governance
Tags
Security, Identity, & ComplianceAWS Identity and Access ManagementAWS Management ConsoleAWS OrganizationsAWS Account Management
Language
English
nishan
asked a year ago413 views
4 Answers
2

In summary, delegation is to support isolation and also the different least-privilege security profiles needed by various teams in your organisation. For example you may have separate security and devops teams.

The multi-account strategy is worth a quick read - https://docs.aws.amazon.com/controltower/latest/userguide/aws-multi-account-landing-zone.html.

Also the Management Account best practices - https://docs.aws.amazon.com/organizations/latest/userguide/orgs_best-practices_mgmt-acct.html.

EXPERT
skinsman
answered a year ago
profile pictureAWS
EXPERT
Brettski-AWS
reviewed a year ago
0
Accepted Answer

The purpose of delegation is to allow different AWS Accounts in an Organisation to host different AWS tools. Delegation allows you to specify the AWS Account which will be the one and only administrator of a particular management our security tool in your AWS Organisation. Per the multi-account strategy, AWS advises customers to separate concerns by Account boundary for various reasons, including limiting blast-radius, data protection, billing and more. By delegating Guard Duty to a particular AWS Account, for example, you can apply appropriate guard rails to that Account (which are most appropriate for security tooling but may differ from other Accounts) and you can easily identify costs for resources and data transfer charges related to Guard Duty.

Use multiple AWS accounts One account isn’t enough to set up a well-architected environment. By using multiple accounts, you can best support your security goals and business processes. Here are some benefits of using a multi-account approach:

Security controls – Applications have different security profiles, so they require different control policies and mechanisms. For example, it’s far easier to talk to an auditor and point to a single account hosting the payment card industry (PCI) workload. Isolation – An account is a unit of security protection. Potential risks and security threats can be contained within an account without affecting others. Therefore, security needs may require you to isolate accounts from one another. For example, you may have teams with different security profiles.

Many teams – Teams have different responsibilities and resource needs. By setting up multiple accounts, the teams cannot interfere with one another, as they might when using the same account.

Data Isolation – Isolating data stores to an account helps limit the number of people who have access to data and can manage the data store. This isolation helps prevent unauthorized exposure of highly private data. For example, data isolation helps support compliance with the General Data Protection Regulation (GDPR).

Business process – Business units or products often have completely different purposes and processes. Individual accounts can be established to serve business-specific needs.

Billing – An account is the only way to separate items at a billing level, including things like transfer charges and so forth. The multi-account strategy helps create separate billable items across business units, functional teams, or individual users.

Quota allocation – AWS quotas are set up on a per-account basis. Separating workloads into different accounts gives each account (such as a project) a well-defined, individual quota.

profile pictureAWS
simon
answered a year ago
0

Thanks for picking up my query. I understand the articles totally, but I am still trying to figure out the answer for the question, "why to go for the concept of delegation if one can achieve the same through combinations of scps/IAM roles/policies".

nishan
answered a year ago
  • simon
    a year ago

    In the same way customers shouldn't configure everything in a single AWS Account, delegated administration allows customers to run each service in its own Account. This enables simpler isolation of security controls, data, users, business processes, billing and quota allocation.

0

"why to go for the concept of delegation if one can achieve the same through combinations of scps/IAM roles/policies"? Part of it is "defence in depth". AWS Accounts are a very string security boundary to add to other security measures, helping to reduce the blast radius of a compromise. The Management Account has a lot of power so, as is common practice with root users, you want to minimise its use. That reduces the risk of it being compromised.

EXPERT
skinsman
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content