⚠️

重要前提

安装AI Skills的关键前提是：必须科学上网，且开启TUN模式，这一点至关重要，直接决定安装能否顺利完成，在此郑重提醒三遍：科学上网，科学上网，科学上网。查看完整安装教程 →

AWS账户管理技能：高效管理组织、IAM、计费与服务控制策略

aws-account-management by hoodini/ai-agents-skills

71 周安装量

155 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/hoodini/ai-agents-skills --skill aws-account-management

AWS 云服务安全

🇨🇳中文介绍

AWS 账户管理

高效管理 AWS 账户、组织、IAM 和计费。

AWS Organizations

组织结构

Root
├── Production OU
│   ├── Prod Account A
│   └── Prod Account B
├── Development OU
│   ├── Dev Account
│   └── Staging Account
├── Security OU
│   ├── Security Account
│   └── Log Archive Account
└── Sandbox OU
    └── Sandbox Account

创建组织

# 创建组织（从管理账户）
aws organizations create-organization --feature-set ALL

# 创建组织单元
aws organizations create-organizational-unit \
  --parent-id r-xxxx \
  --name "Production"

# 创建成员账户
aws organizations create-account \
  --email prod-aws@company.com \
  --account-name "Production Account"

# 将账户移动到 OU
aws organizations move-account \
  --account-id 123456789012 \
  --source-parent-id r-xxxx \
  --destination-parent-id ou-xxxx-xxxxxxxx

服务控制策略

// 禁止离开组织
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyLeaveOrg",
      "Effect": "Deny",
      "Action": "organizations:LeaveOrganization",
      "Resource": "*"
    }
  ]
}

// 要求 IMDSv2（实例元数据）
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "RequireIMDSv2",
      "Effect": "Deny",
      "Action": "ec2:RunInstances",
      "Resource": "arn:aws:ec2:*:*:instance/*",
      "Condition": {
        "StringNotEquals": {
          "ec2:MetadataHttpTokens": "required"
        }
      }
    }
  ]
}

// 区域限制
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyNonApprovedRegions",
      "Effect": "Deny",
      "NotAction": [
        "iam:*",
        "organizations:*",
        "support:*",
        "budgets:*"
      ],
      "Resource": "*",
      "Condition": {
        "StringNotEquals": {
          "aws:RequestedRegion": ["us-east-1", "us-west-2", "eu-west-1"]
        }
      }
    }
  ]
}

// 阻止根用户访问
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyRootUser",
      "Effect": "Deny",
      "Action": "*",
      "Resource": "*",
      "Condition": {
        "StringLike": {
          "aws:PrincipalArn": "arn:aws:iam::*:root"
        }
      }
    }
  ]
}

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

IAM Identity Center (AWS SSO)

设置 Identity Center

# 启用 Identity Center
aws sso-admin create-instance

# 创建权限集
aws sso-admin create-permission-set \
  --instance-arn arn:aws:sso:::instance/ssoins-xxxxxxxx \
  --name "AdministratorAccess" \
  --session-duration "PT8H"

# 附加托管策略
aws sso-admin attach-managed-policy-to-permission-set \
  --instance-arn arn:aws:sso:::instance/ssoins-xxxxxxxx \
  --permission-set-arn arn:aws:sso:::permissionSet/ssoins-xxxxxxxx/ps-xxxxxxxx \
  --managed-policy-arn arn:aws:iam::aws:policy/AdministratorAccess

// 开发者权限集（内联策略）
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DeveloperAccess",
      "Effect": "Allow",
      "Action": [
        "ec2:*",
        "s3:*",
        "lambda:*",
        "dynamodb:*",
        "cloudwatch:*",
        "logs:*"
      ],
      "Resource": "*"
    },
    {
      "Sid": "DenyBillingAndIAM",
      "Effect": "Deny",
      "Action": [
        "iam:CreateUser",
        "iam:DeleteUser",
        "iam:CreateAccessKey",
        "aws-portal:*",
        "budgets:*"
      ],
      "Resource": "*"
    }
  ]
}

// 最小权限策略示例
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowS3BucketAccess",
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject",
        "s3:DeleteObject"
      ],
      "Resource": "arn:aws:s3:::my-bucket/*",
      "Condition": {
        "StringEquals": {
          "s3:x-amz-acl": "private"
        }
      }
    },
    {
      "Sid": "AllowListBucket",
      "Effect": "Allow",
      "Action": "s3:ListBucket",
      "Resource": "arn:aws:s3:::my-bucket",
      "Condition": {
        "StringLike": {
          "s3:prefix": ["${aws:username}/*"]
        }
      }
    }
  ]
}

// 跨账户角色信任策略
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "unique-external-id"
        },
        "Bool": {
          "aws:MultiFactorAuthPresent": "true"
        }
      }
    }
  ]
}

// Lambda 执行角色
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

// EC2 实例配置文件
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

# 生成凭证报告
aws iam generate-credential-report
aws iam get-credential-report --output text --query Content | base64 -d

# 列出未使用的访问密钥（最后使用时间 > 90 天）
aws iam list-users --query 'Users[*].UserName' --output text | \
  xargs -I {} aws iam list-access-keys --user-name {} \
    --query 'AccessKeyMetadata[?Status==`Active`]'

# 获取访问密钥最后使用时间
aws iam get-access-key-last-used --access-key-id AKIAXXXXXXXX

# IAM Access Analyzer
aws accessanalyzer create-analyzer \
  --analyzer-name my-analyzer \
  --type ACCOUNT

# 创建预算
aws budgets create-budget \
  --account-id 123456789012 \
  --budget '{
    "BudgetName": "Monthly-Budget",
    "BudgetLimit": {
      "Amount": "1000",
      "Unit": "USD"
    },
    "BudgetType": "COST",
    "TimeUnit": "MONTHLY"
  }' \
  --notifications-with-subscribers '[
    {
      "Notification": {
        "NotificationType": "ACTUAL",
        "ComparisonOperator": "GREATER_THAN",
        "Threshold": 80
      },
      "Subscribers": [
        {
          "SubscriptionType": "EMAIL",
          "Address": "alerts@company.com"
        }
      ]
    }
  ]'

import boto3
from datetime import datetime, timedelta

client = boto3.client('ce')

# 获取成本和用量
response = client.get_cost_and_usage(
    TimePeriod={
        'Start': (datetime.now() - timedelta(days=30)).strftime('%Y-%m-%d'),
        'End': datetime.now().strftime('%Y-%m-%d')
    },
    Granularity='MONTHLY',
    Metrics=['UnblendedCost'],
    GroupBy=[
        {'Type': 'DIMENSION', 'Key': 'SERVICE'},
        {'Type': 'DIMENSION', 'Key': 'LINKED_ACCOUNT'}
    ]
)

# 获取成本预测
forecast = client.get_cost_forecast(
    TimePeriod={
        'Start': datetime.now().strftime('%Y-%m-%d'),
        'End': (datetime.now() + timedelta(days=30)).strftime('%Y-%m-%d')
    },
    Metric='UNBLENDED_COST',
    Granularity='MONTHLY'
)

print(f"Forecasted cost: ${forecast['Total']['Amount']}")

# 激活成本分配标签
aws ce update-cost-allocation-tags-status \
  --cost-allocation-tags-status '[
    {"TagKey": "Environment", "Status": "Active"},
    {"TagKey": "Project", "Status": "Active"},
    {"TagKey": "CostCenter", "Status": "Active"}
  ]'

# 一致地标记资源
aws ec2 create-tags \
  --resources i-1234567890abcdef0 \
  --tags Key=Environment,Value=Production \
         Key=Project,Value=WebApp \
         Key=CostCenter,Value=Engineering

Savings Plans 与预留实例

# 获取 Savings Plans 推荐
aws savingsplans describe-savings-plans-offering-rates \
  --savings-plan-offering-ids xxxxxxxxx

# 获取预留实例推荐
aws ce get-reservation-purchase-recommendation \
  --service "Amazon Elastic Compute Cloud - Compute" \
  --lookback-period-in-days THIRTY_DAYS \
  --term-in-years ONE_YEAR \
  --payment-option NO_UPFRONT

CloudTrail 与日志记录

# 创建组织跟踪
aws cloudtrail create-trail \
  --name organization-trail \
  --s3-bucket-name my-cloudtrail-bucket \
  --is-organization-trail \
  --is-multi-region-trail \
  --enable-log-file-validation \
  --kms-key-id alias/cloudtrail-key

# 开始日志记录
aws cloudtrail start-logging --name organization-trail

CloudTrail 事件选择器

# 记录管理事件和 S3 数据事件
aws cloudtrail put-event-selectors \
  --trail-name organization-trail \
  --event-selectors '[
    {
      "ReadWriteType": "All",
      "IncludeManagementEvents": true,
      "DataResources": [
        {
          "Type": "AWS::S3::Object",
          "Values": ["arn:aws:s3:::sensitive-bucket/"]
        }
      ]
    }
  ]'

# 启用 Config
aws configservice put-configuration-recorder \
  --configuration-recorder name=default,roleARN=arn:aws:iam::123456789012:role/config-role

# 部署托管规则
aws configservice put-config-rule \
  --config-rule '{
    "ConfigRuleName": "s3-bucket-public-read-prohibited",
    "Source": {
      "Owner": "AWS",
      "SourceIdentifier": "S3_BUCKET_PUBLIC_READ_PROHIBITED"
    }
  }'

# 组织 Config 规则
aws configservice put-organization-config-rule \
  --organization-config-rule-name "org-s3-bucket-public-read-prohibited" \
  --organization-managed-rule-metadata '{
    "RuleIdentifier": "S3_BUCKET_PUBLIC_READ_PROHIBITED"
  }'

# conformance-pack.yaml
Parameters:
  S3BucketName:
    Type: String
Resources:
  S3BucketPublicReadProhibited:
    Type: AWS::Config::ConfigRule
    Properties:
      ConfigRuleName: s3-bucket-public-read-prohibited
      Source:
        Owner: AWS
        SourceIdentifier: S3_BUCKET_PUBLIC_READ_PROHIBITED
  IAMRootAccessKeyCheck:
    Type: AWS::Config::ConfigRule
    Properties:
      ConfigRuleName: iam-root-access-key-check
      Source:
        Owner: AWS
        SourceIdentifier: IAM_ROOT_ACCESS_KEY_CHECK
  MFAEnabledForIAMConsoleAccess:
    Type: AWS::Config::ConfigRule
    Properties:
      ConfigRuleName: mfa-enabled-for-iam-console-access
      Source:
        Owner: AWS
        SourceIdentifier: MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS

# providers.tf
provider "aws" {
  alias  = "management"
  region = "us-east-1"
}

provider "aws" {
  alias  = "production"
  region = "us-east-1"
  assume_role {
    role_arn = "arn:aws:iam::${var.prod_account_id}:role/TerraformRole"
  }
}

provider "aws" {
  alias  = "development"
  region = "us-east-1"
  assume_role {
    role_arn = "arn:aws:iam::${var.dev_account_id}:role/TerraformRole"
  }
}

# 在特定账户中创建资源
resource "aws_s3_bucket" "prod_bucket" {
  provider = aws.production
  bucket   = "my-prod-bucket"
}

resource "aws_s3_bucket" "dev_bucket" {
  provider = aws.development
  bucket   = "my-dev-bucket"
}

账户工厂（Control Tower 模式）

# modules/account/main.tf
resource "aws_organizations_account" "account" {
  name  = var.account_name
  email = var.account_email
  
  parent_id = var.organizational_unit_id
  
  role_name = "OrganizationAccountAccessRole"
  
  tags = {
    Environment = var.environment
    ManagedBy   = "Terraform"
  }
}

resource "aws_iam_role" "terraform_role" {
  provider = aws.new_account
  name     = "TerraformRole"
  
  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Effect = "Allow"
        Principal = {
          AWS = "arn:aws:iam::${var.management_account_id}:root"
        }
        Action = "sts:AssumeRole"
      }
    ]
  })
}

安全最佳实践检查清单

## 账户安全
- [ ] 根账户已启用 MFA
- [ ] 根账户访问密钥已删除
- [ ] 根账户邮箱是分发列表
- [ ] 配置了强密码策略
- [ ] 所有区域已启用 CloudTrail
- [ ] 已启用 GuardDuty
- [ ] 已启用 Security Hub
- [ ] 已启用 Config 并配置规则

## 组织安全
- [ ] SCP 限制危险操作
- [ ] SCP 强制执行区域限制
- [ ] SCP 要求加密
- [ ] 日志归档账户已隔离
- [ ] 安全账户已隔离
- [ ] 跨账户访问使用角色（而非用户）

## IAM 安全
- [ ] 没有长期有效的访问密钥
- [ ] 已启用 IAM Access Analyzer
- [ ] 未使用的凭证已轮换/移除
- [ ] 委派管理员已设置权限边界
- [ ] 尽可能使用服务关联角色

## 成本管理
- [ ] 已配置预算并设置警报
- [ ] 成本分配标签已激活
- [ ] 已评估 Savings Plans
- [ ] 未使用的资源已清理
- [ ] 已审查资源规模优化建议

🇺🇸English

AWS Account Management

Manage AWS accounts, organizations, IAM, and billing effectively.

AWS Organizations

Organization Structure

Root
├── Production OU
│   ├── Prod Account A
│   └── Prod Account B
├── Development OU
│   ├── Dev Account
│   └── Staging Account
├── Security OU
│   ├── Security Account
│   └── Log Archive Account
└── Sandbox OU
    └── Sandbox Account

Create Organization

# Create organization (from management account)
aws organizations create-organization --feature-set ALL

# Create organizational unit
aws organizations create-organizational-unit \
  --parent-id r-xxxx \
  --name "Production"

# Create member account
aws organizations create-account \
  --email prod-aws@company.com \
  --account-name "Production Account"

# Move account to OU
aws organizations move-account \
  --account-id 123456789012 \
  --source-parent-id r-xxxx \
  --destination-parent-id ou-xxxx-xxxxxxxx

Service Control Policies (SCPs)

// Deny leaving organization
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyLeaveOrg",
      "Effect": "Deny",
      "Action": "organizations:LeaveOrganization",
      "Resource": "*"
    }
  ]
}

// Require IMDSv2 (instance metadata)
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "RequireIMDSv2",
      "Effect": "Deny",
      "Action": "ec2:RunInstances",
      "Resource": "arn:aws:ec2:*:*:instance/*",
      "Condition": {
        "StringNotEquals": {
          "ec2:MetadataHttpTokens": "required"
        }
      }
    }
  ]
}

// Region restriction
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyNonApprovedRegions",
      "Effect": "Deny",
      "NotAction": [
        "iam:*",
        "organizations:*",
        "support:*",
        "budgets:*"
      ],
      "Resource": "*",
      "Condition": {
        "StringNotEquals": {
          "aws:RequestedRegion": ["us-east-1", "us-west-2", "eu-west-1"]
        }
      }
    }
  ]
}

// Prevent root user access
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyRootUser",
      "Effect": "Deny",
      "Action": "*",
      "Resource": "*",
      "Condition": {
        "StringLike": {
          "aws:PrincipalArn": "arn:aws:iam::*:root"
        }
      }
    }
  ]
}

Attach SCP

# Create SCP
aws organizations create-policy \
  --name "DenyLeaveOrg" \
  --type SERVICE_CONTROL_POLICY \
  --content file://deny-leave-org.json

# Attach to OU
aws organizations attach-policy \
  --policy-id p-xxxxxxxxxxxx \
  --target-id ou-xxxx-xxxxxxxx

IAM Identity Center (AWS SSO)

Setup Identity Center

# Enable Identity Center
aws sso-admin create-instance

# Create permission set
aws sso-admin create-permission-set \
  --instance-arn arn:aws:sso:::instance/ssoins-xxxxxxxx \
  --name "AdministratorAccess" \
  --session-duration "PT8H"

# Attach managed policy
aws sso-admin attach-managed-policy-to-permission-set \
  --instance-arn arn:aws:sso:::instance/ssoins-xxxxxxxx \
  --permission-set-arn arn:aws:sso:::permissionSet/ssoins-xxxxxxxx/ps-xxxxxxxx \
  --managed-policy-arn arn:aws:iam::aws:policy/AdministratorAccess

Permission Sets

// Developer permission set (inline policy)
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DeveloperAccess",
      "Effect": "Allow",
      "Action": [
        "ec2:*",
        "s3:*",
        "lambda:*",
        "dynamodb:*",
        "cloudwatch:*",
        "logs:*"
      ],
      "Resource": "*"
    },
    {
      "Sid": "DenyBillingAndIAM",
      "Effect": "Deny",
      "Action": [
        "iam:CreateUser",
        "iam:DeleteUser",
        "iam:CreateAccessKey",
        "aws-portal:*",
        "budgets:*"
      ],
      "Resource": "*"
    }
  ]
}

IAM Best Practices

IAM Policies

// Least privilege policy example
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowS3BucketAccess",
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject",
        "s3:DeleteObject"
      ],
      "Resource": "arn:aws:s3:::my-bucket/*",
      "Condition": {
        "StringEquals": {
          "s3:x-amz-acl": "private"
        }
      }
    },
    {
      "Sid": "AllowListBucket",
      "Effect": "Allow",
      "Action": "s3:ListBucket",
      "Resource": "arn:aws:s3:::my-bucket",
      "Condition": {
        "StringLike": {
          "s3:prefix": ["${aws:username}/*"]
        }
      }
    }
  ]
}

// Cross-account role trust policy
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "unique-external-id"
        },
        "Bool": {
          "aws:MultiFactorAuthPresent": "true"
        }
      }
    }
  ]
}

IAM Roles for Services

// Lambda execution role
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

// EC2 instance profile
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

IAM Security Tools

# Generate credential report
aws iam generate-credential-report
aws iam get-credential-report --output text --query Content | base64 -d

# List unused access keys (last used > 90 days)
aws iam list-users --query 'Users[*].UserName' --output text | \
  xargs -I {} aws iam list-access-keys --user-name {} \
    --query 'AccessKeyMetadata[?Status==`Active`]'

# Get access key last used
aws iam get-access-key-last-used --access-key-id AKIAXXXXXXXX

# IAM Access Analyzer
aws accessanalyzer create-analyzer \
  --analyzer-name my-analyzer \
  --type ACCOUNT

Cost Management

AWS Budgets

# Create budget
aws budgets create-budget \
  --account-id 123456789012 \
  --budget '{
    "BudgetName": "Monthly-Budget",
    "BudgetLimit": {
      "Amount": "1000",
      "Unit": "USD"
    },
    "BudgetType": "COST",
    "TimeUnit": "MONTHLY"
  }' \
  --notifications-with-subscribers '[
    {
      "Notification": {
        "NotificationType": "ACTUAL",
        "ComparisonOperator": "GREATER_THAN",
        "Threshold": 80
      },
      "Subscribers": [
        {
          "SubscriptionType": "EMAIL",
          "Address": "alerts@company.com"
        }
      ]
    }
  ]'

Cost Explorer API

import boto3
from datetime import datetime, timedelta

client = boto3.client('ce')

# Get cost and usage
response = client.get_cost_and_usage(
    TimePeriod={
        'Start': (datetime.now() - timedelta(days=30)).strftime('%Y-%m-%d'),
        'End': datetime.now().strftime('%Y-%m-%d')
    },
    Granularity='MONTHLY',
    Metrics=['UnblendedCost'],
    GroupBy=[
        {'Type': 'DIMENSION', 'Key': 'SERVICE'},
        {'Type': 'DIMENSION', 'Key': 'LINKED_ACCOUNT'}
    ]
)

# Get cost forecast
forecast = client.get_cost_forecast(
    TimePeriod={
        'Start': datetime.now().strftime('%Y-%m-%d'),
        'End': (datetime.now() + timedelta(days=30)).strftime('%Y-%m-%d')
    },
    Metric='UNBLENDED_COST',
    Granularity='MONTHLY'
)

print(f"Forecasted cost: ${forecast['Total']['Amount']}")

Cost Allocation Tags

# Activate cost allocation tags
aws ce update-cost-allocation-tags-status \
  --cost-allocation-tags-status '[
    {"TagKey": "Environment", "Status": "Active"},
    {"TagKey": "Project", "Status": "Active"},
    {"TagKey": "CostCenter", "Status": "Active"}
  ]'

# Tag resources consistently
aws ec2 create-tags \
  --resources i-1234567890abcdef0 \
  --tags Key=Environment,Value=Production \
         Key=Project,Value=WebApp \
         Key=CostCenter,Value=Engineering

Savings Plans & Reserved Instances

# Get Savings Plans recommendations
aws savingsplans describe-savings-plans-offering-rates \
  --savings-plan-offering-ids xxxxxxxxx

# Get Reserved Instance recommendations
aws ce get-reservation-purchase-recommendation \
  --service "Amazon Elastic Compute Cloud - Compute" \
  --lookback-period-in-days THIRTY_DAYS \
  --term-in-years ONE_YEAR \
  --payment-option NO_UPFRONT

CloudTrail & Logging

Organization Trail

# Create organization trail
aws cloudtrail create-trail \
  --name organization-trail \
  --s3-bucket-name my-cloudtrail-bucket \
  --is-organization-trail \
  --is-multi-region-trail \
  --enable-log-file-validation \
  --kms-key-id alias/cloudtrail-key

# Start logging
aws cloudtrail start-logging --name organization-trail

CloudTrail Event Selectors

# Log management events and S3 data events
aws cloudtrail put-event-selectors \
  --trail-name organization-trail \
  --event-selectors '[
    {
      "ReadWriteType": "All",
      "IncludeManagementEvents": true,
      "DataResources": [
        {
          "Type": "AWS::S3::Object",
          "Values": ["arn:aws:s3:::sensitive-bucket/"]
        }
      ]
    }
  ]'

Config & Compliance

AWS Config Rules

# Enable Config
aws configservice put-configuration-recorder \
  --configuration-recorder name=default,roleARN=arn:aws:iam::123456789012:role/config-role

# Deploy managed rule
aws configservice put-config-rule \
  --config-rule '{
    "ConfigRuleName": "s3-bucket-public-read-prohibited",
    "Source": {
      "Owner": "AWS",
      "SourceIdentifier": "S3_BUCKET_PUBLIC_READ_PROHIBITED"
    }
  }'

# Organization Config rules
aws configservice put-organization-config-rule \
  --organization-config-rule-name "org-s3-bucket-public-read-prohibited" \
  --organization-managed-rule-metadata '{
    "RuleIdentifier": "S3_BUCKET_PUBLIC_READ_PROHIBITED"
  }'

Conformance Packs

# conformance-pack.yaml
Parameters:
  S3BucketName:
    Type: String
Resources:
  S3BucketPublicReadProhibited:
    Type: AWS::Config::ConfigRule
    Properties:
      ConfigRuleName: s3-bucket-public-read-prohibited
      Source:
        Owner: AWS
        SourceIdentifier: S3_BUCKET_PUBLIC_READ_PROHIBITED
  IAMRootAccessKeyCheck:
    Type: AWS::Config::ConfigRule
    Properties:
      ConfigRuleName: iam-root-access-key-check
      Source:
        Owner: AWS
        SourceIdentifier: IAM_ROOT_ACCESS_KEY_CHECK
  MFAEnabledForIAMConsoleAccess:
    Type: AWS::Config::ConfigRule
    Properties:
      ConfigRuleName: mfa-enabled-for-iam-console-access
      Source:
        Owner: AWS
        SourceIdentifier: MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS

Terraform Multi-Account

# providers.tf
provider "aws" {
  alias  = "management"
  region = "us-east-1"
}

provider "aws" {
  alias  = "production"
  region = "us-east-1"
  assume_role {
    role_arn = "arn:aws:iam::${var.prod_account_id}:role/TerraformRole"
  }
}

provider "aws" {
  alias  = "development"
  region = "us-east-1"
  assume_role {
    role_arn = "arn:aws:iam::${var.dev_account_id}:role/TerraformRole"
  }
}

# Create resources in specific accounts
resource "aws_s3_bucket" "prod_bucket" {
  provider = aws.production
  bucket   = "my-prod-bucket"
}

resource "aws_s3_bucket" "dev_bucket" {
  provider = aws.development
  bucket   = "my-dev-bucket"
}

Account Factory (Control Tower Pattern)

# modules/account/main.tf
resource "aws_organizations_account" "account" {
  name  = var.account_name
  email = var.account_email
  
  parent_id = var.organizational_unit_id
  
  role_name = "OrganizationAccountAccessRole"
  
  tags = {
    Environment = var.environment
    ManagedBy   = "Terraform"
  }
}

resource "aws_iam_role" "terraform_role" {
  provider = aws.new_account
  name     = "TerraformRole"
  
  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Effect = "Allow"
        Principal = {
          AWS = "arn:aws:iam::${var.management_account_id}:root"
        }
        Action = "sts:AssumeRole"
      }
    ]
  })
}

Security Best Practices Checklist

## Account Security
- [ ] MFA enabled on root account
- [ ] Root account access keys deleted
- [ ] Root account email is distribution list
- [ ] Strong password policy configured
- [ ] CloudTrail enabled in all regions
- [ ] GuardDuty enabled
- [ ] Security Hub enabled
- [ ] Config enabled with rules

## Organization Security
- [ ] SCPs restrict dangerous actions
- [ ] SCPs enforce region restrictions
- [ ] SCPs require encryption
- [ ] Log archive account isolated
- [ ] Security account isolated
- [ ] Cross-account access uses roles (not users)

## IAM Security
- [ ] No long-lived access keys
- [ ] IAM Access Analyzer enabled
- [ ] Unused credentials rotated/removed
- [ ] Permission boundaries on delegated admins
- [ ] Service-linked roles used where possible

## Cost Management
- [ ] Budgets configured with alerts
- [ ] Cost allocation tags active
- [ ] Savings Plans evaluated
- [ ] Unused resources cleaned up
- [ ] Right-sizing recommendations reviewed

Resources

Organizations Docs : https://docs.aws.amazon.com/organizations/
IAM Best Practices : https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
Identity Center : https://docs.aws.amazon.com/singlesignon/
Cost Management : https://docs.aws.amazon.com/cost-management/
Control Tower : https://docs.aws.amazon.com/controltower/
Security Hub : https://docs.aws.amazon.com/securityhub/

Weekly Installs

Repository

hoodini/ai-agents-skills

GitHub Stars

140

First Seen

Jan 24, 2026

Security Audits

Gen Agent Trust HubPass SocketPass SnykWarn

Installed on

opencode50

codex49

gemini-cli48

github-copilot47

cursor46

amp41

Supabase Postgres 最佳实践指南 - 8大类别性能优化规则与SQL示例

89,100 周安装

AWS账户管理技能：高效管理组织、IAM、计费与服务控制策略

🇨🇳中文介绍

AWS 账户管理

AWS Organizations

组织结构

创建组织

服务控制策略

相关 Skills

附加 SCP

IAM Identity Center (AWS SSO)

设置 Identity Center

权限集

IAM 最佳实践

IAM 策略

服务 IAM 角色

IAM 安全工具

成本管理

AWS 预算

Cost Explorer API

成本分配标签

Savings Plans 与预留实例

CloudTrail 与日志记录

组织跟踪

CloudTrail 事件选择器

Config 与合规性

AWS Config 规则

合规性包

Terraform 多账户

账户工厂（Control Tower 模式）

安全最佳实践检查清单

资源

🇺🇸English

AWS Account Management

AWS Organizations

Organization Structure

Create Organization

Service Control Policies (SCPs)

Attach SCP

IAM Identity Center (AWS SSO)

Setup Identity Center

Permission Sets

IAM Best Practices

IAM Policies

IAM Roles for Services

IAM Security Tools

Cost Management

AWS Budgets

Cost Explorer API

Cost Allocation Tags

Savings Plans & Reserved Instances

CloudTrail & Logging

Organization Trail

CloudTrail Event Selectors

Config & Compliance

AWS Config Rules

Conformance Packs

Terraform Multi-Account

Account Factory (Control Tower Pattern)

Security Best Practices Checklist

Resources

最新 Skills