In the last chapter we introduced IAM and many of its complexities. As you can imagine, if you have a large organization, it can be difficult to manage all of the users, roles, policies and other IAM resources needed to enable your infrastructure. In this chapter we’re going to look at two ways to ease the burden of managing all the identities and access controls within your organization.
The first method is splitting access across multiple AWS accounts. These accounts provide a logical separation between sets of users and resources that can simplify access controls. There are also some complexities introduced if you need to have access to two different accounts, and we’ll look at how this works later in this chapter. The other method is by integrating with an existing access management system. If you use Active Directory or another identity management system within your organization already, the last section in this chapter outlines how to integrate that system with IAM, so you don’t have to manage identities in two places.