Для автоматического создания "Sign-in URL" в новый добавленный аккаунт Control Tower понадобится следующее:
- создать на мастер аккаунте Lambda функцию (регион обязательно us-east-1 — Virginia, так будем использовать CloudTrail как триггер);
- создать политику разрешающую асюмить роль и приатачиваем ее к Лямбда роли;
- создаем CloudWatch Event Rule и в качестве таргета указываем лямбду;
- на мастер аккаунте создать StackSet для создания необходимой роли и политики на новом аккаунте в OU;
StackSet:
AWSTemplateFormatVersion: 2010-09-09 Description: 'Template create IAM Roles and Policies for access from Control Tower master account' Resources: ControlTowerMaster: Type: 'AWS::IAM::Role' Properties: RoleName: 'ControlTower-Master' AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: AWS: - "arn:aws:iam::XXXXXXXXXXXX:root" Action: - 'sts:AssumeRole' Policies: - PolicyName: 'ControlTower-Master' PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - 'iam:CreateAccountAlias' Resource: '*' MaxSessionDuration: 3600 Path: /
Где "XXXXXXXXXXXX" — ID мастер аккаунта
Lambda:
import boto3 import re def get_account_name(account_id): account_name = boto3.client('organizations').describe_account(AccountId = account_id).get('Account').get('Name') create_account_alias(account_id, account_name) def create_account_alias(account_id, account_name): account_name = re.sub('[^A-Za-z0-9]+', '-', account_name) sts_client = boto3.client('sts') response = sts_client.assume_role( RoleArn = "arn:aws:iam::" + str(account_id) + ":role/AIT-ControlTower-Master", RoleSessionName = 'assume_role_session' ) iam_client = boto3.client( 'iam', aws_access_key_id = response['Credentials']['AccessKeyId'], aws_secret_access_key = response['Credentials']['SecretAccessKey'], aws_session_token = response['Credentials']['SessionToken'] ) # Create an account alias iam_client.create_account_alias( AccountAlias = account_name.lower() ) def main(event, context): account_id = (event["detail"]["requestParameters"]["accountId"]) get_account_name(account_id) if __name__ == '__main__': main()
Lambda Policy:
{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "*" } }
CloudWatch Event Rule:
{ "source": [ "aws.organizations" ], "detail-type": [ "AWS API Call via CloudTrail" ], "detail": { "eventSource": [ "organizations.amazonaws.com" ], "eventName": [ "MoveAccount" ], "requestParameters": { "sourceParentId": [ "r-xxx" ], "destinationParentId": [ "ou-xxx-yyyyyyyy" ] } } }
Где "r-xxx" — ID вашей организации, а "ou-xxx-yyyyyyyy" — OU ID