This project demonstrates how to build a secure and organized multi-account AWS environment using AWS Organizations, AWS IAM Identity Centre, and permission sets. It walks through account structuring, user management, access control, and enforcing best practices like Multi-Factor Authentication (MFA) to ensure security and governance in a cloud-native environment.
The following objectives was set out for the project:
- Set up and manage multiple AWS accounts under one AWS Organization.
- Create users and assign them to appropriate groups using AWS IAM Identity Centre.
- Define and assign custom permission sets.
- Implement and enforce MFA for all users.
- Enable cross-account access governed by role-based permissions.
- Document the entire process with screenshots for reference and future auditing.
- AWS Organizations
- AWS IAM Identity Centre
- AWS IAM
- Permission Sets
- MFA
- Notion (for publishing project results)
Tasks Completed:
- Created a root/management account.
- Added one member account successfully and named it Development.
- Attempted to add additional accounts: Staging and Production.
β Issue Encountered:
- AWS returned the error: "You have exceeded the allowed number of AWS accounts."
Root Cause:
- AWS imposes a default limit on the number of accounts in an organization for new AWS accounts.
Troubleshooting Action:
- Submitted a quota increase request via AWS Support Console.
- Continued with the rest of the project while awaiting approval.
- Enabled AWS IAM Identity Centre.
- Created five users:
- Iniabasi Okorie
- Chioma Okechukwu
- Samuel Osung
- Kelechi Light
- Emmanuel Nnaemeka
- Created the following groups:
- Admin-Team β Assigned: Iniabasi Okorie
- DevOps-Team β Assigned: Samuel Osung ,Emmanuel Nnaemeka
- Developer-Team β Assigned: Chioma Okechukwu , Kelechi Light
- Created the following custom permission sets:
- Admin-Permission
- PowerUser-Permission
- SystemAdmin-Permission
- DataScientist-Permission
Mapping:
- Admin-Team β Administrator-Permission, System Admin Permission, PowerUser Access.
- DevOps-Team β Administrator-Permission, Data Scientist Admin, PowerUser Access.
- Developer-Team β System Admin Permission, Administrator-Permission, PowerUser Access
- Enforced MFA across all IAM Identity Center users.
- Configured each user to register a virtual MFA device.
- All users granted access to all three AWS accounts via Identity Centre.
- Permissions restricted by group assignments.
- Each user logged in via the Identity Centre portal.
- MFA successfully used.
- Demonstrated switching between AWS accounts using SSO.
| Task | Status | Time Taken |
|---|---|---|
| π AWS Organization Setup | Completed | ~5 mins |
| π IAM Identity Centre Setup | Completed | ~5 mins |
| π Permission Set Configuration | Completed | ~10 mins |
| π MFA Enforcement | Completed | ~5 mins |
| π Access Testing & Switching | Completed | ~10 mins |
| π Documentation & Screenshots | Completed | ~2 hours |
This project provided a practical understanding of identity and access management in AWS.
It highlighted key concepts such as least privilege, centralized account management, and MFA enforcement.
The experience also reflected real-world troubleshooting and documentation expectations.
By completing this setup, I now have hands-on familiarity with the foundational building blocks for secure enterprise-grade cloud environments using AWS.