10 min.

Access controls and management across multiple accounts in AWS

Managing and controlling access across various accounts involves navigating a myriad of services and features. This article aims to organize these elements for simpler understanding.

Key services in this domain include AWS IAM, AWS Organizations, AWS IAM Identity Center, AWS Resource Access Manager, AWS Control Tower.

Additionally, there are several other less critical services, which are briefly listed towards the end. Below, the essential functions of these services in relation to the topic at hand are detailed.


Identity and Access Management (IAM)


Control access to services and resources placed in different accounts (yours and as well in external to your organization) using roles, groups, policies and trust relationships (the last two are in the form of JSON files).

There are 2 ways to handle access to resources to other accounts: explicit access using resource based policy and delegated access - using identity-based policies and trust relationships. See examples below.

Hypothetically you have a S3 bucket in account A and aim to set up access to this bucket from account B.



Explicit access to S3 bucket


Explicit access will only work with resource-based policies (contrary to identity-based policies). Those types of policies are attached directly to the services like S3 and not to users, groups or roles in IAM service.


Delegated access to S3 bucket


This time more work needs to be done. We have to also create identity (role) with proper permissions in account A and declare that we trust another identity (role, user) from account B to assume that role and do some action in account A.


Remember: Resource-based and identity-based policies can't override AWS Organizations SCPs (see AWS Organizations).


AWS Organizations


The service allows you to manually establish additional accounts linked to your primary account, often referred to as the root account.


The root account has the authority to determine what its subordinate accounts, or child accounts, are not permitted to do. By default, these child accounts have full capabilities within their own scope.


You can define restrictions using Service Control Policies (SCPs), which are written in a JSON format similar to IAM policies. SCPs enable you to restrict specific actions, services, and users.


Architects frequently organize child accounts into Organizational Units (OUs) and apply SCPs directly to these units. 


Consequently, all accounts within an OU are subject to the same set of rules. It’s also possible to nest OUs within each other, creating a hierarchical, tree-like structure with a maximum of five levels. 


It is important to note that the SCPs applied at a higher-level OU (the topmost level) will always take precedence and override the rules set in its subordinate OUs.

If some feature,  user, service etc is blocked by SCPs then any policy (resource nor identity) won't be effective



Resource Access Manager (RAM)


RAM allows secure and efficient sharing of AWS resources across yours and external accounts. It helps avoid resource duplication and centralizes the management of shared resources. 

You can define precisely which resources are shared and the level of access that the receiving accounts have.


By sharing resources like subnets, transit gateways, or license configurations, RAM helps in creating a centralized resource which can be accessed by multiple accounts. This reduces the overhead of creating duplicate resources in each account and ensures consistent access control policies are applied across these shared resources


Enables centralized management of shared resources, making it easier to monitor and manage resources from a single account.


AWS IAM Identity Center (formerly AWS Single Sign-On or AWS SSO)


Is a directory and identity management service for users. Enables users to sign in with a single set of credentials (single sign on) to different accounts.

Integrates well with AWS Organizations to enable centralized management of access and user permissions across accounts in the organization.


Simplifies the management of access rights and user permissions across multiple AWS accounts from a single interface, making it easier to administer a multi-account environment.


AWS Control Tower


AWS Control Tower is a service that provides a simple and automated way to set up a multi-account AWS environment. It sets up AWS Organizations, creates the initial accounts and landing zone, and applies guardrails and policies across accounts.


Control Tower allows you to define and enforce consistent policies for security, operations, and compliance across all accounts in your AWS environment. This includes implementing guardrails that can either be preventative (to enforce compliance) or detective (to monitor for compliance).


When using AWS Control Tower, it automatically sets up IAM Identity Center to manage directory services, unless the customer chooses to self-manage identities. IAM Identity Center allows creating and managing users centrally.


It also enables assigning permissions to those users to access AWS accounts and applications.


Integrates with AWS services like AWS Config, AWS CloudTrail, and AWS Service Catalog, providing a comprehensive and compliant framework for account management, auditing, and resource provisioning.



Key differences with IAM Identity center:


  • Control Tower focuses on setting up the initial AWS environment and ongoing governance. IAM Identity Center focuses on managing directory services and access permissions for human users.


  • Control Tower works with IAM Identity Center to provide identity management capabilities out of the box. You can also choose to self-manage identities without IAM Identity Center.


Key difference with AWS Organizations:


  • AWS Control Tower extends the capabilities of AWS Organizations by automatically setting up AWS Organizations as the underlying service to organize accounts


  • Implementing preventive guardrails using service control policies to enforce standards across accounts.


  • Provides an interactive console to easily set up a new landing zone with predefined templates for identity management, access control


Miscellaneous less important services


ServiceRole in control access and management in multi account
AWS ConfigConfiguration tracking and compliance monitoring across multiple accounts
AWS Service CatalogManages access to service catalogs and products across multiple accounts
CloudTrailLogging and auditing account activity across multiple accounts
CloudWatchMonitoring resources and applications across multiple accounts
AWS BudgetsCentralized budget tracking and management across multiple accounts
AWS Cost ExplorerAnalyzing and visualizing spending and usage trends across multiple accounts
AWS Security HubCentralized view of security and compliance across multiple AWS accounts
AWS GuardDutyThreat detection and continuous security monitoring across multiple accounts


Why even bother to create multiple accounts


  • Creates security, access, and billing boundaries that isolate resources and limit the impact of issues, such as misconfigurations or malicious actions, to the resources within that specific account


  • Simplifies cost reporting, control, forecasting, and budgeting, with AWS offering consolidation and fine-grained cost allocation options across all accounts


  • Grouping workloads by business purpose allows for aligned ownership and decision-making, operational autonomy for different units


  • AWS Service Quotas set maximum limits on resources or operations per account, protecting against excessive provisioning and high costs, with separate accounts helping distribute the impact of these quotas and request rate limits


  • Different security controls for each environment - when workloads require unique policies, and using separate accounts for non-production and production ensures resource and data isolation from other workloads


  • Limiting access to sensitive data by restricting it to specific accounts simplifies achieving least privilege access and reduces exposure risk, as demonstrated by using designated accounts for public Amazon S3 buckets to enforce strict access policies


  • Encourages innovation by providing separate accounts for different stages of a workload's life cycle, allowing AWS builders various levels of freedom and access for experimentation, development, and testing, all within secure and cost-managed environments


  • Supports multiple IT operating models by enabling organizations to segregate accounts according to their operational structure, whether Traditional Ops, CloudOps, or DevOps, allowing for tailored governance and operational controls for each model.



Offical AWS resources


Benefits of using multiple AWS accounts

What is the difference between a user created in IAM and a user created in IAM Identity Center?

Working with AWS IAM Identity Center and AWS Control Tower - AWS Control Tower

What is IAM Identity Center? - AWS IAM Identity Center

What Is AWS Control Tower? - AWS Control Tower

AWS Control Tower and AWS Organizations - AWS Organizations

Identity-based policies and resource-based policies - AWS Identity and Access Management

IAM Policies and Bucket Policies and ACLs! Oh, My! (Controlling Access to S3 Resources)

How can I grant a user access to a specific folder in my Amazon S3 bucket?