Для автоматического создания "Sign-in URL" в новый добавленный аккаунт Control Tower понадобится следующее:
- создать на мастер аккаунте Lambda функцию (регион обязательно us-east-1 — Virginia, так будем использовать CloudTrail как триггер);
- создать политику разрешающую асюмить роль и приатачиваем ее к Лямбда роли;
- создаем CloudWatch Event Rule и в качестве таргета указываем лямбду;
- на мастер аккаунте создать StackSet для создания необходимой роли и политики на новом аккаунте в OU;
StackSet:
AWSTemplateFormatVersion: 2010-09-09
Description: 'Template create IAM Roles and Policies for access from Control Tower master account'
Resources:
ControlTowerMaster:
Type: 'AWS::IAM::Role'
Properties:
RoleName: 'ControlTower-Master'
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
AWS:
- "arn:aws:iam::XXXXXXXXXXXX:root"
Action:
- 'sts:AssumeRole'
Policies:
- PolicyName: 'ControlTower-Master'
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- 'iam:CreateAccountAlias'
Resource: '*'
MaxSessionDuration: 3600
Path: /
Где "XXXXXXXXXXXX" — ID мастер аккаунта
Lambda:
import boto3
import re
def get_account_name(account_id):
account_name = boto3.client('organizations').describe_account(AccountId = account_id).get('Account').get('Name')
create_account_alias(account_id, account_name)
def create_account_alias(account_id, account_name):
account_name = re.sub('[^A-Za-z0-9]+', '-', account_name)
sts_client = boto3.client('sts')
response = sts_client.assume_role(
RoleArn = "arn:aws:iam::" + str(account_id) + ":role/AIT-ControlTower-Master",
RoleSessionName = 'assume_role_session'
)
iam_client = boto3.client(
'iam',
aws_access_key_id = response['Credentials']['AccessKeyId'],
aws_secret_access_key = response['Credentials']['SecretAccessKey'],
aws_session_token = response['Credentials']['SessionToken']
)
# Create an account alias
iam_client.create_account_alias(
AccountAlias = account_name.lower()
)
def main(event, context):
account_id = (event["detail"]["requestParameters"]["accountId"])
get_account_name(account_id)
if __name__ == '__main__':
main()
Lambda Policy:
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "*"
}
}
CloudWatch Event Rule:
{
"source": [
"aws.organizations"
],
"detail-type": [
"AWS API Call via CloudTrail"
],
"detail": {
"eventSource": [
"organizations.amazonaws.com"
],
"eventName": [
"MoveAccount"
],
"requestParameters": {
"sourceParentId": [
"r-xxx"
],
"destinationParentId": [
"ou-xxx-yyyyyyyy"
]
}
}
}
Где "r-xxx" — ID вашей организации, а "ou-xxx-yyyyyyyy" — OU ID