AWS Landing Zone - access to core accounts?

Question

How can I access the AWS Landing Zone core accounts after creating an AWS Landing Zone?

This is what I have done so far:

1. Deploy the AWS Landing Zone based on the AWS Landing Zone initiation template
2. Let the CodePipeline execute the aws-landing-zone-configuration.zip file
3. I can see that the shared service, the security and the log archive account has been created and added to the core OU when I look at the AWS Organization in the console

Of course, since I created the accounts, I know the root email address and I can use it to reset the root password, but that is beside the point.

Answer 1

You can Switch Role to the other core accounts assuming the OrganizationAccountAccessRole. Landing Zone doesn't allow this by default, so you'll have to set that up.

Answer 2

The AWS Landing Zone is deployed into the AWS Organizations account. When you first create the Landing Zone stack from the latest Landing Zone initiation template, you must supply various input parameters, including the primary email addresses for the core accounts that the landing zone creates, namely:

1. Log Archive account (LoggingAccountEmail)
2. Security account (SecurityAccountEmail)
3. Shared Services account (SharedServicesAccountEmail)

From the Landing Zone CloudFormation template for more details:

Metadata:
  AWS::CloudFormation::Interface:
    ParameterGroups:
    - Label:
        default: Landing Zone Core Account Configuration
      Parameters:
      - SharedServicesAccountEmail
      - LoggingAccountEmail
      - SecurityAccountEmail
      - NestedOUDelimiter
      - CoreOUName
      - NonCoreOUNames
      - SecurityAlertEmail
      - LockStackSetsExecutionRole
      - SubscribeAllChangeEventsEmailToTopic
      - AllChangeEventsEmail

When the Security, Log Archive or Shared Services core accounts are created, AWS Organizations initially assigns a password to the root user for each core account that is a minimum of 64 characters long. All characters are randomly generated with no guarantees on the appearance of certain character sets.

You can't retrieve this initial password.

To access the account as the root user for the first time, you must go through the process for password recovery.

See here for more information.

Answer 3

In the AWS landing zone user guide on page 5 under “Security Account”, there is written a way for a security account IAM users to utilize the switch role to two existing roles deployed via AVM:

The Security account creates auditor (read-only) and administrator (full-access) cross- account roles from a Security account to all AWS Landing Zone managed accounts. The intent of these roles is to be used by security and compliance teams to audit, such as hosting custom AWS Config Rule lambda functions, or perform automated security operations, such as perform remediation actions.

I have tried to utilize these roles but unfortunately haven't been able to set up assume policy, as by default trusted entity has been set to be the arn of the same role defined in the security account. I am not able to switch to this local role in the security account as I can not change permissions on this role probably due to preventive guardrails. So I guess we need to either customize it in the ALZ CFN templates or do some hack with this preventive guardrails. I can not believe that AWS promote this feature in their user guide and that it doesn't work out of the box. Does somebody has any experience with this? I will provide more specific details as soon as I am near access to my AWS environment. I know that this does not provide complete solution to this question, and that it may be completely different question, but I think that it can provide a hint to the solution, so I made a post here to engage more activity toward the solution.

Update:

The names of those two roles are:

• AWSLandingZoneAdminExecutionRole
• AWSLandingZoneReadOnlyExecutionRole