之前 AWS 的多帳號管理只是合併計費,要自己在不同帳號內設一堆 Role 互相切換,現在可以透過 AWS Organizations 掛起來一起管理了:「Announcing AWS Organizations: Centrally Manage Multiple AWS Accounts」。
現在還在 Preview,不過可以看到一些說明:
另外原來的計費管理 (consolidated billing) 也會轉移過去:
Note: If you currently use Consolidated Billing, your Consolidated Billing family is migrated automatically to AWS Organizations in Billing mode, which is equivalent to Consolidated Billing. All account activity charges accrued by member accounts are billed to the master account.
就我所知還是要開一堆 role 轉換,只是以往走 SAML 是 AD Group -> IAM Role,現在中間換成 MASCOT。MASCOT 能利用 AWS sts::AssumeRole 帶入額外 Policy 的特性,實現權限交集(IAM Role 的 Policy 是聯集)。
參考 https://www.youtube.com/watch?v=xjtSWd8z_bE&feature=youtu.be