Multiple Account Switching via AWS Console

[wataruian]

Hi Gruntwork team!

I would like to ask a question regarding switching of accounts using AWS Console. Let’s say I logged in to AWS Console of security account using my IAM user and I want to switch to stage account and vice-versa. I can’t seem to it do it from there, but if I logged in from the "master" account I can switch to all accounts (dev, stage, prod, logs, security, shared) just fine. Is it possible to switch from a member account to another member account and vice-versa? If yes, what are the necessary permissions/steps in order to do so. Thanks in advance!

r:terraform-aws-security

[ina-stoyanova]

Hey @wataruian. While I'm setting up this for my own accounts to be able to provide a bit more specific guidance, I believe the steps that will get you to what you want are:

1. Have a role in each member account that can be assumed from every other account (using the cross-account-iam-roles module we've got)
2. Have a user group and IAM users in each member account and respective group with the permissions set to allow assuming those roles from step 1 in a different account (using the iam-groups module we've got here)

The guide I'm following for the above steps: https://docs.gruntwork.io/guides/reference-architecture/example-usage-guide/authenticate/authenticate-to-the-aws-web-console/.

Please let me know if this makes sense!

[wataruian]

@ina-stoyanova Will take a look at this and update you. Thanks!

[wataruian]

@ina-stoyanova looks like the module was implemented all along and just needed to add the IAM user to access-all-external-accounts group and enable the MFA for that IAM user. Thanks!