Back to Details

aws-account-management

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

AWS Account Management

AWS账户管理

Manage AWS accounts, organizations, IAM, and billing effectively.
高效管理AWS账户、组织、IAM及账单。

AWS Organizations

AWS Organizations

Organization Structure

组织架构

Root
├── Production OU
│   ├── Prod Account A
│   └── Prod Account B
├── Development OU
│   ├── Dev Account
│   └── Staging Account
├── Security OU
│   ├── Security Account
│   └── Log Archive Account
└── Sandbox OU
    └── Sandbox Account
Root
├── Production OU
│   ├── Prod Account A
│   └── Prod Account B
├── Development OU
│   ├── Dev Account
│   └── Staging Account
├── Security OU
│   ├── Security Account
│   └── Log Archive Account
└── Sandbox OU
    └── Sandbox Account

Create Organization

创建组织

bash
undefined
bash
undefined

Create organization (from management account)

Create organization (from management account)

aws organizations create-organization --feature-set ALL
aws organizations create-organization --feature-set ALL

Create organizational unit

Create organizational unit

aws organizations create-organizational-unit
--parent-id r-xxxx
--name "Production"
aws organizations create-organizational-unit
--parent-id r-xxxx
--name "Production"

Create member account

Create member account

aws organizations create-account
--email prod-aws@company.com
--account-name "Production Account"
aws organizations create-account
--email prod-aws@company.com
--account-name "Production Account"

Move account to OU

Move account to OU

aws organizations move-account
--account-id 123456789012
--source-parent-id r-xxxx
--destination-parent-id ou-xxxx-xxxxxxxx
undefined
aws organizations move-account
--account-id 123456789012
--source-parent-id r-xxxx
--destination-parent-id ou-xxxx-xxxxxxxx
undefined

Service Control Policies (SCPs)

服务控制策略(SCPs)

json
// Deny leaving organization
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyLeaveOrg",
      "Effect": "Deny",
      "Action": "organizations:LeaveOrganization",
      "Resource": "*"
    }
  ]
}

// Require IMDSv2 (instance metadata)
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "RequireIMDSv2",
      "Effect": "Deny",
      "Action": "ec2:RunInstances",
      "Resource": "arn:aws:ec2:*:*:instance/*",
      "Condition": {
        "StringNotEquals": {
          "ec2:MetadataHttpTokens": "required"
        }
      }
    }
  ]
}

// Region restriction
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyNonApprovedRegions",
      "Effect": "Deny",
      "NotAction": [
        "iam:*",
        "organizations:*",
        "support:*",
        "budgets:*"
      ],
      "Resource": "*",
      "Condition": {
        "StringNotEquals": {
          "aws:RequestedRegion": ["us-east-1", "us-west-2", "eu-west-1"]
        }
      }
    }
  ]
}

// Prevent root user access
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyRootUser",
      "Effect": "Deny",
      "Action": "*",
      "Resource": "*",
      "Condition": {
        "StringLike": {
          "aws:PrincipalArn": "arn:aws:iam::*:root"
        }
      }
    }
  ]
}
json
// Deny leaving organization
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyLeaveOrg",
      "Effect": "Deny",
      "Action": "organizations:LeaveOrganization",
      "Resource": "*"
    }
  ]
}

// Require IMDSv2 (instance metadata)
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "RequireIMDSv2",
      "Effect": "Deny",
      "Action": "ec2:RunInstances",
      "Resource": "arn:aws:ec2:*:*:instance/*",
      "Condition": {
        "StringNotEquals": {
          "ec2:MetadataHttpTokens": "required"
        }
      }
    }
  ]
}

// Region restriction
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyNonApprovedRegions",
      "Effect": "Deny",
      "NotAction": [
        "iam:*",
        "organizations:*",
        "support:*",
        "budgets:*"
      ],
      "Resource": "*",
      "Condition": {
        "StringNotEquals": {
          "aws:RequestedRegion": ["us-east-1", "us-west-2", "eu-west-1"]
        }
      }
    }
  ]
}

// Prevent root user access
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyRootUser",
      "Effect": "Deny",
      "Action": "*",
      "Resource": "*",
      "Condition": {
        "StringLike": {
          "aws:PrincipalArn": "arn:aws:iam::*:root"
        }
      }
    }
  ]
}

Attach SCP

附加SCP

bash
undefined
bash
undefined

Create SCP

Create SCP

aws organizations create-policy
--name "DenyLeaveOrg"
--type SERVICE_CONTROL_POLICY
--content file://deny-leave-org.json
aws organizations create-policy
--name "DenyLeaveOrg"
--type SERVICE_CONTROL_POLICY
--content file://deny-leave-org.json

Attach to OU

Attach to OU

aws organizations attach-policy
--policy-id p-xxxxxxxxxxxx
--target-id ou-xxxx-xxxxxxxx
undefined
aws organizations attach-policy
--policy-id p-xxxxxxxxxxxx
--target-id ou-xxxx-xxxxxxxx
undefined

IAM Identity Center (AWS SSO)

IAM Identity Center (AWS SSO)

Setup Identity Center

配置Identity Center

bash
undefined
bash
undefined

Enable Identity Center

Enable Identity Center

aws sso-admin create-instance
aws sso-admin create-instance

Create permission set

Create permission set

aws sso-admin create-permission-set
--instance-arn arn:aws:sso:::instance/ssoins-xxxxxxxx
--name "AdministratorAccess"
--session-duration "PT8H"
aws sso-admin create-permission-set
--instance-arn arn:aws:sso:::instance/ssoins-xxxxxxxx
--name "AdministratorAccess"
--session-duration "PT8H"

Attach managed policy

Attach managed policy

aws sso-admin attach-managed-policy-to-permission-set
--instance-arn arn:aws:sso:::instance/ssoins-xxxxxxxx
--permission-set-arn arn:aws:sso:::permissionSet/ssoins-xxxxxxxx/ps-xxxxxxxx
--managed-policy-arn arn:aws:iam::aws:policy/AdministratorAccess
undefined
aws sso-admin attach-managed-policy-to-permission-set
--instance-arn arn:aws:sso:::instance/ssoins-xxxxxxxx
--permission-set-arn arn:aws:sso:::permissionSet/ssoins-xxxxxxxx/ps-xxxxxxxx
--managed-policy-arn arn:aws:iam::aws:policy/AdministratorAccess
undefined

Permission Sets

权限集

json
// Developer permission set (inline policy)
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DeveloperAccess",
      "Effect": "Allow",
      "Action": [
        "ec2:*",
        "s3:*",
        "lambda:*",
        "dynamodb:*",
        "cloudwatch:*",
        "logs:*"
      ],
      "Resource": "*"
    },
    {
      "Sid": "DenyBillingAndIAM",
      "Effect": "Deny",
      "Action": [
        "iam:CreateUser",
        "iam:DeleteUser",
        "iam:CreateAccessKey",
        "aws-portal:*",
        "budgets:*"
      ],
      "Resource": "*"
    }
  ]
}
json
// Developer permission set (inline policy)
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DeveloperAccess",
      "Effect": "Allow",
      "Action": [
        "ec2:*",
        "s3:*",
        "lambda:*",
        "dynamodb:*",
        "cloudwatch:*",
        "logs:*"
      ],
      "Resource": "*"
    },
    {
      "Sid": "DenyBillingAndIAM",
      "Effect": "Deny",
      "Action": [
        "iam:CreateUser",
        "iam:DeleteUser",
        "iam:CreateAccessKey",
        "aws-portal:*",
        "budgets:*"
      ],
      "Resource": "*"
    }
  ]
}

IAM Best Practices

IAM最佳实践

IAM Policies

IAM策略

json
// Least privilege policy example
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowS3BucketAccess",
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject",
        "s3:DeleteObject"
      ],
      "Resource": "arn:aws:s3:::my-bucket/*",
      "Condition": {
        "StringEquals": {
          "s3:x-amz-acl": "private"
        }
      }
    },
    {
      "Sid": "AllowListBucket",
      "Effect": "Allow",
      "Action": "s3:ListBucket",
      "Resource": "arn:aws:s3:::my-bucket",
      "Condition": {
        "StringLike": {
          "s3:prefix": ["${aws:username}/*"]
        }
      }
    }
  ]
}

// Cross-account role trust policy
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "unique-external-id"
        },
        "Bool": {
          "aws:MultiFactorAuthPresent": "true"
        }
      }
    }
  ]
}
json
// Least privilege policy example
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowS3BucketAccess",
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject",
        "s3:DeleteObject"
      ],
      "Resource": "arn:aws:s3:::my-bucket/*",
      "Condition": {
        "StringEquals": {
          "s3:x-amz-acl": "private"
        }
      }
    },
    {
      "Sid": "AllowListBucket",
      "Effect": "Allow",
      "Action": "s3:ListBucket",
      "Resource": "arn:aws:s3:::my-bucket",
      "Condition": {
        "StringLike": {
          "s3:prefix": ["${aws:username}/*"]
        }
      }
    }
  ]
}

// Cross-account role trust policy
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "unique-external-id"
        },
        "Bool": {
          "aws:MultiFactorAuthPresent": "true"
        }
      }
    }
  ]
}

IAM Roles for Services

服务IAM角色

json
// Lambda execution role
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

// EC2 instance profile
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
json
// Lambda execution role
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

// EC2 instance profile
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

IAM Security Tools

IAM安全工具

bash
undefined
bash
undefined

Generate credential report

Generate credential report

aws iam generate-credential-report aws iam get-credential-report --output text --query Content | base64 -d
aws iam generate-credential-report aws iam get-credential-report --output text --query Content | base64 -d

List unused access keys (last used > 90 days)

List unused access keys (last used > 90 days)

aws iam list-users --query 'Users[*].UserName' --output text |
xargs -I {} aws iam list-access-keys --user-name {}
--query 'AccessKeyMetadata[?Status==
Active
]'
aws iam list-users --query 'Users[*].UserName' --output text |
xargs -I {} aws iam list-access-keys --user-name {}
--query 'AccessKeyMetadata[?Status==
Active
]'

Get access key last used

Get access key last used

aws iam get-access-key-last-used --access-key-id AKIAXXXXXXXX
aws iam get-access-key-last-used --access-key-id AKIAXXXXXXXX

IAM Access Analyzer

IAM Access Analyzer

aws accessanalyzer create-analyzer
--analyzer-name my-analyzer
--type ACCOUNT
undefined
aws accessanalyzer create-analyzer
--analyzer-name my-analyzer
--type ACCOUNT
undefined

Cost Management

成本管理

AWS Budgets

AWS Budgets

bash
undefined
bash
undefined

Create budget

Create budget

aws budgets create-budget
--account-id 123456789012
--budget '{ "BudgetName": "Monthly-Budget", "BudgetLimit": { "Amount": "1000", "Unit": "USD" }, "BudgetType": "COST", "TimeUnit": "MONTHLY" }'
--notifications-with-subscribers '[ { "Notification": { "NotificationType": "ACTUAL", "ComparisonOperator": "GREATER_THAN", "Threshold": 80 }, "Subscribers": [ { "SubscriptionType": "EMAIL", "Address": "alerts@company.com" } ] } ]'
undefined
aws budgets create-budget
--account-id 123456789012
--budget '{ "BudgetName": "Monthly-Budget", "BudgetLimit": { "Amount": "1000", "Unit": "USD" }, "BudgetType": "COST", "TimeUnit": "MONTHLY" }'
--notifications-with-subscribers '[ { "Notification": { "NotificationType": "ACTUAL", "ComparisonOperator": "GREATER_THAN", "Threshold": 80 }, "Subscribers": [ { "SubscriptionType": "EMAIL", "Address": "alerts@company.com" } ] } ]'
undefined

Cost Explorer API

Cost Explorer API

python
import boto3
from datetime import datetime, timedelta

client = boto3.client('ce')
python
import boto3
from datetime import datetime, timedelta

client = boto3.client('ce')

Get cost and usage

Get cost and usage

response = client.get_cost_and_usage( TimePeriod={ 'Start': (datetime.now() - timedelta(days=30)).strftime('%Y-%m-%d'), 'End': datetime.now().strftime('%Y-%m-%d') }, Granularity='MONTHLY', Metrics=['UnblendedCost'], GroupBy=[ {'Type': 'DIMENSION', 'Key': 'SERVICE'}, {'Type': 'DIMENSION', 'Key': 'LINKED_ACCOUNT'} ] )
response = client.get_cost_and_usage( TimePeriod={ 'Start': (datetime.now() - timedelta(days=30)).strftime('%Y-%m-%d'), 'End': datetime.now().strftime('%Y-%m-%d') }, Granularity='MONTHLY', Metrics=['UnblendedCost'], GroupBy=[ {'Type': 'DIMENSION', 'Key': 'SERVICE'}, {'Type': 'DIMENSION', 'Key': 'LINKED_ACCOUNT'} ] )

Get cost forecast

Get cost forecast

forecast = client.get_cost_forecast( TimePeriod={ 'Start': datetime.now().strftime('%Y-%m-%d'), 'End': (datetime.now() + timedelta(days=30)).strftime('%Y-%m-%d') }, Metric='UNBLENDED_COST', Granularity='MONTHLY' )
print(f"Forecasted cost: ${forecast['Total']['Amount']}")
undefined
forecast = client.get_cost_forecast( TimePeriod={ 'Start': datetime.now().strftime('%Y-%m-%d'), 'End': (datetime.now() + timedelta(days=30)).strftime('%Y-%m-%d') }, Metric='UNBLENDED_COST', Granularity='MONTHLY' )
print(f"Forecasted cost: ${forecast['Total']['Amount']}")
undefined

Cost Allocation Tags

成本分配标签

bash
undefined
bash
undefined

Activate cost allocation tags

Activate cost allocation tags

aws ce update-cost-allocation-tags-status
--cost-allocation-tags-status '[ {"TagKey": "Environment", "Status": "Active"}, {"TagKey": "Project", "Status": "Active"}, {"TagKey": "CostCenter", "Status": "Active"} ]'
aws ce update-cost-allocation-tags-status
--cost-allocation-tags-status '[ {"TagKey": "Environment", "Status": "Active"}, {"TagKey": "Project", "Status": "Active"}, {"TagKey": "CostCenter", "Status": "Active"} ]'

Tag resources consistently

Tag resources consistently

aws ec2 create-tags
--resources i-1234567890abcdef0
--tags Key=Environment,Value=Production
Key=Project,Value=WebApp
Key=CostCenter,Value=Engineering
undefined
aws ec2 create-tags
--resources i-1234567890abcdef0
--tags Key=Environment,Value=Production
Key=Project,Value=WebApp
Key=CostCenter,Value=Engineering
undefined

Savings Plans & Reserved Instances

节省计划与预留实例

bash
undefined
bash
undefined

Get Savings Plans recommendations

Get Savings Plans recommendations

aws savingsplans describe-savings-plans-offering-rates
--savings-plan-offering-ids xxxxxxxxx
aws savingsplans describe-savings-plans-offering-rates
--savings-plan-offering-ids xxxxxxxxx

Get Reserved Instance recommendations

Get Reserved Instance recommendations

aws ce get-reservation-purchase-recommendation
--service "Amazon Elastic Compute Cloud - Compute"
--lookback-period-in-days THIRTY_DAYS
--term-in-years ONE_YEAR
--payment-option NO_UPFRONT
undefined
aws ce get-reservation-purchase-recommendation
--service "Amazon Elastic Compute Cloud - Compute"
--lookback-period-in-days THIRTY_DAYS
--term-in-years ONE_YEAR
--payment-option NO_UPFRONT
undefined

CloudTrail & Logging

CloudTrail与日志

Organization Trail

组织级追踪

bash
undefined
bash
undefined

Create organization trail

Create organization trail

aws cloudtrail create-trail
--name organization-trail
--s3-bucket-name my-cloudtrail-bucket
--is-organization-trail
--is-multi-region-trail
--enable-log-file-validation
--kms-key-id alias/cloudtrail-key
aws cloudtrail create-trail
--name organization-trail
--s3-bucket-name my-cloudtrail-bucket
--is-organization-trail
--is-multi-region-trail
--enable-log-file-validation
--kms-key-id alias/cloudtrail-key

Start logging

Start logging

aws cloudtrail start-logging --name organization-trail
undefined
aws cloudtrail start-logging --name organization-trail
undefined

CloudTrail Event Selectors

CloudTrail事件选择器

bash
undefined
bash
undefined

Log management events and S3 data events

Log management events and S3 data events

aws cloudtrail put-event-selectors
--trail-name organization-trail
--event-selectors '[ { "ReadWriteType": "All", "IncludeManagementEvents": true, "DataResources": [ { "Type": "AWS::S3::Object", "Values": ["arn:aws:s3:::sensitive-bucket/"] } ] } ]'
undefined
aws cloudtrail put-event-selectors
--trail-name organization-trail
--event-selectors '[ { "ReadWriteType": "All", "IncludeManagementEvents": true, "DataResources": [ { "Type": "AWS::S3::Object", "Values": ["arn:aws:s3:::sensitive-bucket/"] } ] } ]'
undefined

Config & Compliance

Config与合规

AWS Config Rules

AWS Config规则

bash
undefined
bash
undefined

Enable Config

Enable Config

aws configservice put-configuration-recorder
--configuration-recorder name=default,roleARN=arn:aws:iam::123456789012:role/config-role
aws configservice put-configuration-recorder
--configuration-recorder name=default,roleARN=arn:aws:iam::123456789012:role/config-role

Deploy managed rule

Deploy managed rule

aws configservice put-config-rule
--config-rule '{ "ConfigRuleName": "s3-bucket-public-read-prohibited", "Source": { "Owner": "AWS", "SourceIdentifier": "S3_BUCKET_PUBLIC_READ_PROHIBITED" } }'
aws configservice put-config-rule
--config-rule '{ "ConfigRuleName": "s3-bucket-public-read-prohibited", "Source": { "Owner": "AWS", "SourceIdentifier": "S3_BUCKET_PUBLIC_READ_PROHIBITED" } }'

Organization Config rules

Organization Config rules

aws configservice put-organization-config-rule
--organization-config-rule-name "org-s3-bucket-public-read-prohibited"
--organization-managed-rule-metadata '{ "RuleIdentifier": "S3_BUCKET_PUBLIC_READ_PROHIBITED" }'
undefined
aws configservice put-organization-config-rule
--organization-config-rule-name "org-s3-bucket-public-read-prohibited"
--organization-managed-rule-metadata '{ "RuleIdentifier": "S3_BUCKET_PUBLIC_READ_PROHIBITED" }'
undefined

Conformance Packs

一致性包

yaml
undefined
yaml
undefined

conformance-pack.yaml

conformance-pack.yaml

Parameters: S3BucketName: Type: String Resources: S3BucketPublicReadProhibited: Type: AWS::Config::ConfigRule Properties: ConfigRuleName: s3-bucket-public-read-prohibited Source: Owner: AWS SourceIdentifier: S3_BUCKET_PUBLIC_READ_PROHIBITED IAMRootAccessKeyCheck: Type: AWS::Config::ConfigRule Properties: ConfigRuleName: iam-root-access-key-check Source: Owner: AWS SourceIdentifier: IAM_ROOT_ACCESS_KEY_CHECK MFAEnabledForIAMConsoleAccess: Type: AWS::Config::ConfigRule Properties: ConfigRuleName: mfa-enabled-for-iam-console-access Source: Owner: AWS SourceIdentifier: MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS
undefined
Parameters: S3BucketName: Type: String Resources: S3BucketPublicReadProhibited: Type: AWS::Config::ConfigRule Properties: ConfigRuleName: s3-bucket-public-read-prohibited Source: Owner: AWS SourceIdentifier: S3_BUCKET_PUBLIC_READ_PROHIBITED IAMRootAccessKeyCheck: Type: AWS::Config::ConfigRule Properties: ConfigRuleName: iam-root-access-key-check Source: Owner: AWS SourceIdentifier: IAM_ROOT_ACCESS_KEY_CHECK MFAEnabledForIAMConsoleAccess: Type: AWS::Config::ConfigRule Properties: ConfigRuleName: mfa-enabled-for-iam-console-access Source: Owner: AWS SourceIdentifier: MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS
undefined

Terraform Multi-Account

Terraform多账户管理

hcl
undefined
hcl
undefined

providers.tf

providers.tf

provider "aws" { alias = "management" region = "us-east-1" }
provider "aws" { alias = "production" region = "us-east-1" assume_role { role_arn = "arn:aws:iam::${var.prod_account_id}:role/TerraformRole" } }
provider "aws" { alias = "development" region = "us-east-1" assume_role { role_arn = "arn:aws:iam::${var.dev_account_id}:role/TerraformRole" } }
provider "aws" { alias = "management" region = "us-east-1" }
provider "aws" { alias = "production" region = "us-east-1" assume_role { role_arn = "arn:aws:iam::${var.prod_account_id}:role/TerraformRole" } }
provider "aws" { alias = "development" region = "us-east-1" assume_role { role_arn = "arn:aws:iam::${var.dev_account_id}:role/TerraformRole" } }

Create resources in specific accounts

Create resources in specific accounts

resource "aws_s3_bucket" "prod_bucket" { provider = aws.production bucket = "my-prod-bucket" }
resource "aws_s3_bucket" "dev_bucket" { provider = aws.development bucket = "my-dev-bucket" }
undefined
resource "aws_s3_bucket" "prod_bucket" { provider = aws.production bucket = "my-prod-bucket" }
resource "aws_s3_bucket" "dev_bucket" { provider = aws.development bucket = "my-dev-bucket" }
undefined

Account Factory (Control Tower Pattern)

账户工厂(控制塔模式)

hcl
undefined
hcl
undefined

modules/account/main.tf

modules/account/main.tf

resource "aws_organizations_account" "account" { name = var.account_name email = var.account_email
parent_id = var.organizational_unit_id
role_name = "OrganizationAccountAccessRole"
tags = { Environment = var.environment ManagedBy = "Terraform" } }
resource "aws_iam_role" "terraform_role" { provider = aws.new_account name = "TerraformRole"
assume_role_policy = jsonencode({ Version = "2012-10-17" Statement = [ { Effect = "Allow" Principal = { AWS = "arn:aws:iam::${var.management_account_id}:root" } Action = "sts:AssumeRole" } ] }) }
undefined
resource "aws_organizations_account" "account" { name = var.account_name email = var.account_email
parent_id = var.organizational_unit_id
role_name = "OrganizationAccountAccessRole"
tags = { Environment = var.environment ManagedBy = "Terraform" } }
resource "aws_iam_role" "terraform_role" { provider = aws.new_account name = "TerraformRole"
assume_role_policy = jsonencode({ Version = "2012-10-17" Statement = [ { Effect = "Allow" Principal = { AWS = "arn:aws:iam::${var.management_account_id}:root" } Action = "sts:AssumeRole" } ] }) }
undefined

Security Best Practices Checklist

安全最佳实践检查清单

markdown
undefined
markdown
undefined

Account Security

账户安全

  • MFA enabled on root account
  • Root account access keys deleted
  • Root account email is distribution list
  • Strong password policy configured
  • CloudTrail enabled in all regions
  • GuardDuty enabled
  • Security Hub enabled
  • Config enabled with rules
  • 根账户启用MFA
  • 删除根账户访问密钥
  • 根账户邮箱为分发列表
  • 配置强密码策略
  • 所有区域启用CloudTrail
  • 启用GuardDuty
  • 启用Security Hub
  • 启用Config并配置规则

Organization Security

组织安全

  • SCPs restrict dangerous actions
  • SCPs enforce region restrictions
  • SCPs require encryption
  • Log archive account isolated
  • Security account isolated
  • Cross-account access uses roles (not users)
  • SCP限制危险操作
  • SCP实施区域限制
  • SCP强制加密要求
  • 日志归档账户隔离
  • 安全账户隔离
  • 跨账户访问使用角色(而非用户)

IAM Security

IAM安全

  • No long-lived access keys
  • IAM Access Analyzer enabled
  • Unused credentials rotated/removed
  • Permission boundaries on delegated admins
  • Service-linked roles used where possible
  • 无长期访问密钥
  • 启用IAM Access Analyzer
  • 轮换/删除未使用凭证
  • 为委托管理员设置权限边界
  • 尽可能使用服务关联角色

Cost Management

成本管理

  • Budgets configured with alerts
  • Cost allocation tags active
  • Savings Plans evaluated
  • Unused resources cleaned up
  • Right-sizing recommendations reviewed
undefined
  • 配置带告警的预算
  • 激活成本分配标签
  • 评估节省计划
  • 清理未使用资源
  • 查看资源优化建议
undefined

Resources

资源