Questions tagged with AWS Account Management
Content language: English
Sort by most recent
Need to restrict IAM user
We have production and UAT environment in same AWS account now my requirement is to restrict IAM user **A** can manage all activities related to only UAT instances like an admin access and same way IAM user **B** can manage Production instances only. Is it possible within same AWS account?
Account Factory for Terraform without Control Tower
We have an existing multi-account environment with the majority of AWS services, so do not need to use Landing Zone Accelerator (LZA) or AWS Control Tower. We use Terraform to build resources within the account and would like to use the Account Factory for Terraform  and  to build an account within the management account and integrate with AWS Organizations. Can you tell me if it is possible to use AFT in an environment that does not have AWS Control Tower?  https://registry.terraform.io/modules/aws-ia/control_tower_account_factory/aws/latest  https://aws.amazon.com/blogs/aws/new-aws-control-tower-account-factory-for-terraform/ Thanks
Should I keep all of my business logic in layers in AWS lamda functions service?
I am designing an application and I really haven't worked with lamda earlier. Currently I have service repository pattern implemented and I am running my application in an express http server. Current design pattern - Model - Sequelize models to call the db methods on Repository layer - Communication with the Database through models Service layer - calls to repository layer and implementation of business logic Controller layer - Call service layer functions and send json response Now I want to migrate to AWS lambda functions. I came accross usage of layers in lambda to share the code accross all the functions. Is it good design to put all my repositories, services and models in layers and only instantiate related classes and then invoke the functions from the lambdas ?( So lambdas will work like controllers in my current design) Or should I move my entire business logic to lambda functions? The question is due to a blog that I read where I got to know that with every new deployment of layers I'll have to redeploy all the lambdas. Please help!
AWS Contract Status for Test Account is showing as pending though contract has been successfully subscribed
We are integrating our SaaS product with AWS Marketplace. We are now in the testing phase of the integration. During our testing, we have seen that Contract subscribed from the AWS Marketplace using our test accounts is successfully provisioning our SaaS application to customer. However, in the marketplace we can see that contract status is still pending for the test customer. Message which is displayed is: "Your contract is currently pending. To modify your current contract please refresh the page after several minutes to check your contract status." Also, the "Click here to set up your account." link is still active though the SaaS application has been provisioned to the test customer. Do we need to configure anything else in order to make the contract status active on the AWS Marketplace side. Please guide here.
Run RDP Client on MacBook
Greetings, I am running a MacBook trying to connect to an AWS Instance that is running, using Microsoft Remote Desktop. I downloaded the Remote Desktop file, and added it to Microsoft Remote Desktop. I have installed and launched Microsoft Remote Desktop. I entered the Public DNS that is in the **Connect to instance**, get an error message. Any suggestions to resolve this issue is much appreciated. Thanks Clive ERROR **We couldn't connect to the remote PC. Make sure the PC is turned on and connected to the network, and that remote access is enabled. Error code: 0x204**
Optimal Way To Collate Multiple Acct/Role --> Security Pane-of-Glass
I see several different ways to get a single pane-of-glass for AWS services but not getting clarity on what is the optimal/simplest solution. We need to pipe event/log data into a SIEM (not in AWS) - what is best way to get data from those into one place?
How to configure Sender ID on SMS
I am setting up a new environment using a new account under the same payee/root account. In order to set up the env I need to configure Sender ID on SMS messages. I have registered Sender ID in India, have a principal entity, and have approved SMS templates. AWS Support is refusing to configure the Sender ID because the account is new. Root / payee account has been active for more than a year. This is the second time such an incident is happening. Last time I had to tag AWS Support on twitter to get the ticket escalated. Has someone faced similar issue, is there a better way to get help?
Did we use AWS Organizations wrong?
Rather than sharing a single "root" login for **account A** on a 3rd party service it's often preferable to invite other account (B, C, D, etc.) and assign permissions to each of these accounts (admin, viewer, etc.) The "owner" of AWS **account A** invited the owner of **account B** into their "organization" by using owner B's email address associated with **B's** AWS root account. Assumption: **B** would remain independent but be able to switch into a management (admin) role of account **A** as authorized. **A** should not have ANY access to account **B**. Now it would appear Account **A** has consumed Account **B**?!?! What does "Organization" mean in AWS parlance (read: layman's speak)? IAM role is what should have been done but now I'm trying to understand what happened and help them back out of this…if possible?
Check ARNs for AssumeRole regularly not hitting quota limits
Hello, we need to do a regular check of all our customers who gave us permissions for AssumeRole in case they drop the permission/role/user. In respect to [quota limits](https://docs.aws.amazon.com/apigateway/latest/developerguide/limits.html#apigateway-account-level-limits-table), what would be the best possible way of doing that? I am thinking: * For each customer account (ARN) * Perform AssumeRole for that ARN * Perform some "ping" operation (e.g. DescribeRegions) * Delay so we don't hit the service quota limits (e.g. DescribeRegions has 20 operations per second bucket). It is not clear how service quota limits are applied when doing AssumeRole. Is that applied against ours (service) account, or customer (assumed) account? What are the limits for the STS operations, specifically AssumeRole? There is not much in the docs in this regard, or I am missing it. Is there some always-available "ping" operation we could call or some STS API request that would confirm us that the ARN is valid? Is there a place we can check the consumption of quota limits so we can fine-tune our background checker? Thanks
Issue adding user to the list
Hello all, we are using a dashboard: https://app.monitron.aws/ We want to add a general user to the list in order to have only read rights. The user is: email@example.com When I try to add it, the button of 'Add' remains grey. Can you please help me with this case? Kind regards,