Suggest a best approach for creating this AWS architecture

How do you create a architecture which involves components EC2, lambda, S3, parameter store, KMS, Scheduler in AWS. This architecture bascically need to be same across all accounts in the organization and there could be updates in the architecture. The root account of AWS organization should not be able to use/view any resources in the users accounts of the organization.

The information is saved in parameter store of user account after a series of steps run on EC2 instance.

The inputs to the lambda function would be this sensitive information of the user which would be stored in the parameter store of the user account. Also, the output of lambda function would again be another sensitive information of user and need to be stored in S3 bucket of that user. Also, the code would be updated frequently.

If there are any other alternative suggestions. Please provide them.

Topics

Security, Identity, & Compliance Management & Governance Storage

Tags

Security, Identity, & Compliance AWS Organizations AWS Account Management Parameter Store Amazon S3 Access Grants

Language

English

Keerthi

asked 2 months ago235 views

1 Answer

Newest
Most votes
Most comments

Hello.

If you are managing multiple AWS accounts with AWS Organizations, I think it is a good idea to create a CloudFormation template and create AWS resources in each AWS account using a stack set.
By doing this, even if there are changes to resource settings, etc., you can complete the work by just using the management account instead of having to work on each AWS account one by one.
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-concepts.html

EXPERT

Riku_Kobayashi

answered 2 months ago

EXPERT

iBehr

reviewed 2 months ago

Keerthi
2 months ago
But, will everything be compromised with root account password ? If suppose someone cracks the root organization password. Will they be able to do malicious activities in other accounts by updating the resource setting?
iBehr EXPERT
2 months ago
Ensure that you have 2FA set for the root account, preferably with a hardware device that you keep secure (in a safe or such).
Keerthi
a month ago
Can we do in some de-centralized way such that users must setup the architecture and run it in their AWS accounts. Root user is only responsible to pay the bills of the accounts in the organization and nothing else.

Relevant content

Which AWS service is best for a proxy http service (architecture strategy)
Accepted Answer
mor
asked 2 years ago
StatusMessage": "ClientError: Unsupported architecture. 32-bit architecture is not supported in this region."
Alvin Kimata
asked 2 years ago
Best architecture for .NET + REACT in AWS ?
Daniel
asked 2 months ago
cloud native architecture for a simple web application
cloudarch
asked 2 years ago
FAQs: Cluster networking architecture in Amazon EKS
AWS OFFICIALUpdated 2 months ago
How do I get a Lambda function in a VPC to access Systems Manager Parameter Store?
AWS OFFICIALUpdated 2 years ago
How do I create a CRL for my AWS Private CA?
AWS OFFICIALUpdated 23 days ago
How do I create a cross-account Lambda function to access Amazon Redshift in a different account?
AWS OFFICIALUpdated 8 months ago
Optimize AWS costs without architectural changes or engineering overhead
EXPERT
rdoty
published a year ago
How to use JWT tokens for authorization with AWS KMS in NodeJs Lambdas
EXPERT
Antonio_Lagrotteria
published 4 months ago