Using a central IAM provider is certainly a great thing. While setting SSO up for AWS, the management for the AWS root-users became a issue, because its required for them to have globally unique e-mail address. This might not a problem for small companies, but if you plan several hundred or even thousand of AWS-accounts, this becomes a nightmare real fast. In this post, I will go over one approach on how you can manage all your root-users with M365 offerings and some Azure services, pretty much for free.
This is the second part of the series, that covers the Shared Mailbox Setup.

Table of Contents

  1. Introduction
  2. Shared Mailbox
  3. Next Steps

Introduction

This is a multi part post - you can find all related posts here:

Shared Mailbox

Each AWS-accounts root-users’ e-mail address must be unique, therefore, we create several shared mailboxes with a lot of aliases as shown below:

Exchange Online Shared Mailbox StructureExchange Online Shared Mailbox Structure

In this example, we will have 11 shared mailboxes, one main mailbox called “aws@company.com“ and ten mailboxes with 300 mail aliases each. The ten mailboxes forward all mails to “aws@company.com“. Thus, all mails com together at a central mailbox. The AWS administrators get access to the shared mailbox “aws@company.com“ and therefore have access to all root accounts. Each AWS accounts root-users e-mail will be configured with mail-alias. All mail-aliases and their root-mailbox info will be stored in a table of an Azure Table storage. We will go into more detail in the next and final post.

You can find the initial setup in the repository.

You need to setup the Azure resources first, otherwise the data will not be written to the table storage. You will find a Terraform deployment within the repo.

setup.ps1link
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
$subscription_id = ""

Import-Module Az.Storage
Import-Module AzTable

Add-AzAccount
Select-AzSubscription -SubscriptionId $subscription_id

$storageAccount = Get-AzStorageAccount -ResourceGroupName 'comp-aws-root-acc-mgmt-live-rg' -Name 'comp6f2twtlivest'
$ctx = $storageAccount.Context
$storageTable = Get-AzStorageTable –Name 'awsrootaccounts' –Context $ctx
$cloudTable = $storageTable.CloudTable

Connect-ExchangeOnline

$tld = "company.com"

New-Mailbox -Shared -Name "awsmain@$($tld)" -DisplayName "AWS Main"

foreach($shared_mailbox_number in (2..2)) {
    $aws_root_account_shared_mailbox_name = "comp{0:d3}" -f $shared_mailbox_number
    $aws_root_account_shared_mailbox_displayname = "AWS Root Account Mgmt {0:d3}" -f $shared_mailbox_number
    Write-Output "Creating shared Mailbox $($aws_root_account_shared_mailbox_name) // $($aws_root_account_shared_mailbox_displayname)"
    New-Mailbox -Shared -Name $aws_root_account_shared_mailbox_name -DisplayName $aws_root_account_shared_mailbox_displayname
    Start-Sleep -Seconds 10
    Get-Mailbox $aws_root_account_shared_mailbox_name | set-mailbox -ForwardingAddress "awsmain@$($tld)"

    $i = 1
    foreach($alias_number in (1..300)) {
        $guid = New-Guid | Select-Object -ExpandProperty Guid
        $alias_name = "aws_$($guid)@$($tld)"
        Write-Output "Adding Alias $($alias_name) // $($i)/300"

        Set-Mailbox $aws_root_account_shared_mailbox_name –EmailAddresses @{Add=$alias_name}


        $props = @{
            "aws_mail"       = $alias_name
            "in_use"         = $false
            "id"             = $guid
            "user_mail"      = ""
            "root_mailbox"   = "$($aws_root_account_shared_mailbox_name)@$($tld)"
            "aws_account_id" = ""
        }

        $result = Add-AzTableRow -table $cloudTable -partitionKey 'root' -rowKey $guid -property $props
        $i++
    }
}

Next Steps

The third and final post will go over the API for the AWS root-user management.