AWS CLI Named Profiles

The AWS tools use local AWS profiles to authenticate calls from a workstation to the AWS Cloud. An AWS profile contains an AccessKeyID and a SecretKey. By selected a named profile, you are instructing an AWS tool to use that AccessKey pair to authenticate with a specific AWS Cloud Account. Consider the named profiles in the previous section's diagram:

• Management Workstation
  • OrgMgmt - account from which AWS Organization is managed. AdministratorAccess.
  • OrgDevJoeAccess - Allows OrgMgmt account to assume administrator role in OrgDevJoe Account
  • OrgSysTestAccess - Allows OrgMgmt account to assume administrator role in OrgSysTest Account
  • OrgSysProdAccess - Allows OrgMgmt account to assume administrator role in OrgSysProd Account
• Joe's Development Workstation
  • OrgDevJoe - Provides PowerUser Access and select IAM permissions
• OrgSysTest Workstation
  • OrgSysTest - AdministratorAccess
• OrgSysProd Workstation
  • OrgSysProd - AdministratorAccess

AWS allows you to create a "default" profile that will be used if you don't supply a specific profile name when executing an AWS tool. We strongly recommend that you never use a default profile on the Management Workstation. We also recommend you only use a default profile on a Developer's Workstation when they will only ever be working against a single AWS Account.

AWS IAM Users

Every AWS Account has a root user. That root user is associated with a email address that is unique among AWS Accounts - you can't use the same email address for more than one account. You sign into the root user account using at least that email address and a password. Signing into an account using the root user credentials should only be done for a limited number of account management reasons. All other access should be performed through a IAM User login.

We create a single IAM User for each AWS Account created in the AWS Organization. See the diagram below: