Skip to content

Feature Request: Better support for AWS Organizations #27

New issue
New issue
Open
Open
Feature Request: Better support for AWS Organizations#27
@epicurus25

Description

@epicurus25
epicurus25
opened on Mar 14, 2025

AWS Multi-account strategy is a standard and best practice for larger environments. Utilizing AWS Organizations you can create and manage up to 10,000 AWS accounts.

IAM Users is not best practice so you would want to use these minimally. The request is to securely store AWS IAM User credentials(multiple would be preferred to make it more dynamic for people) in the application that can be selected for each AWS account being added.

When adding an AWS account you can select the Stored IAM User credentials and also specify the ARN of an IAM Role to assume in the account you want to manage.

I apologize as I am not extremely familiar with the keyfactor app. We work with the team that manages this solution.

This would help follow AWS Security best practices by
Limit the number of IAM users required
Allow to use temporary credentials via IAM Roles in each individual account
Enable for fast IAM User rotation for the entire environment.
Easier Automation when setting up new accounts in large environments.

Example of IAM Authentication with this feature

AWS Organization
- AWS Account(KeyFactor)
- IAM User with Access Key and Secret
- Permissions Policy for IAM User to sts:Assumerole
- AWS Account(App1)
- AIM Role
- Trust Policy that allows to be assumed Via IAM User in KeyFactor Account
- Permissions Policy that gives access to AWS-ACM in this App1 Account
- AWS Account(App2)
- AIM Role
- Trust Policy that allows to be assumed Via IAM User in KeyFactor Account
- Permissions Policy that gives access to AWS-ACM in this App2 Account
- AWS Account(App3)
- AIM Role
- Trust Policy that allows to be assumed Via IAM User in KeyFactor Account
- Permissions Policy that gives access to AWS-ACM in this App3 Account
- AWS Account(App4)
- AIM Role
- Trust Policy that allows to be assumed Via IAM User in KeyFactor Account
- Permissions Policy that gives access to AWS-ACM in this App4 Account

Example of usage of this feature
In a secure variable store you create a new variable for AWS IAM User credentials for the IAM User in the KeyFactor Account
When adding an AWS Account
Enter the Account ID/Name(name or alias is needed since if you manage 100 accounts the Account ID's mean nothing visually)
you select from a drop down to select the KeyFactor IAM User
enter the ARN of the IAM role created in App5 account that has AWS-ACM permissions

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions