Integration
AWS is a public cloud platform provided by Amazon Web Services. meshStack supports account creation, configuration, access control and cost management for AWS.
Integration Overview
To enable integration with AWS, Platform Operators configure one or multiple meshPlatform
s of PlatformType
AWS in the Platform Administration in meshPanel.
meshStack uses AWS Organizations to provision and manage AWS Accounts for meshProjects. To use AWS with a meshStack deployment, operators will need an AWS management account acting as the parent of all accounts managed by meshStack. The complete meshStack setup contains three dedicated accounts:
- management account: organization management account, the account that hosts the AWS Organization.
meshfed-service-user
needs to assume a role in this account to perform tasks such as new account provisioning.meshfed-service-user
(Replicator User) - meshcloud account: meshStack will use this account to host the IAM users used by meshStack.
meshfed-service-user
(Replicator User) lives in this account. We have a dedicated account for this user so that meshcloud can easily roll the credentials of the user when needed. - automation account: meshStack will use this account to manage CloudFormation that are used in Landing Zones.
IAM Roles and Service Control Policies
meshStack replicates meshProject roles as AWS IAM roles to AWS SSO. Platform Operators can configure the mapping of these roles via meshLandingZones.
When configuring these roles, Platform Operators must take care to correctly guard against privilege escalation and maintain project sandboxing. Operators should also consider leveraging Service Control Policies to simplify role configuration and set up a guarded boundary for the maximum of permissions granted to any role.
How to integrate AWS as a meshPlatform into meshStack
This is described in the Guide section under How to integrate a meshPlatform into meshStack.