PProfessNet Academy
Amazon AWS — fundamentals/01intro12 min

Accounts, Organizations and IAM

In AWS the fundamental isolation boundary is the account — not the subscription as in Azure. Understanding accounts, Organizations and IAM is the foundation on which every access rests — including the read-only access ZEUS uses.

The account as a boundary

A single AWS account is the boundary for billing, resource isolation and (by default) security. Good practice is multi-account: separate accounts for prod, dev, security and logging — instead of everything in one.

AWS Organizations

Organizations ties many accounts together under a single management account and lets you group them into Organizational Units (OUs). It also provides Service Control Policies (SCPs) — guardrails that constrain what accounts in an OU can do, regardless of their own IAM permissions.

# Lista kont w organizacji
aws organizations list-accounts --output table

# Struktura OU
aws organizations list-organizational-units-for-parent \
  --parent-id r-xxxx --output table
ConceptRole
Management accountroot of the organization, billing
OUgroup of accounts sharing a common policy
SCPguardrail constraining permissions
Member accountworking account (prod/dev/...)

IAM — who can do what

IAM (Identity and Access Management) manages identity and access:

  • IAM users — long-term identities (avoid them for people; use IAM Identity Center / SSO).
  • IAM roles — temporary identities, assumed via AssumeRole. This is the preferred mechanism for applications and cross-account access.
  • Policies — JSON documents specifying Effect, Action, Resource.

An example read-only policy for S3:

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": ["s3:GetObject", "s3:ListBucket"],
    "Resource": ["arn:aws:s3:::zeus-data", "arn:aws:s3:::zeus-data/*"]
  }]
}

Tip: the principle of least privilege. Instead of AdministratorAccess, grant narrow policies. For read-only auditing, AWS provides the ready-made managed policies ReadOnlyAccess and SecurityAudit.

How ZEUS sees it

ZEUS connects to AWS through an IAM role assumed cross-account (or an access key for a single account) with the ReadOnlyAccess and SecurityAudit policies. Thanks to Organizations it can read the entire structure: the management account, OUs, member accounts and SCPs. This lets it build a map of the customer's whole AWS landscape from a single point. We cover the connector details in lesson 07.

In the next lesson we go down to the network layer: VPCs, subnets and security groups.