56 lines
2.1 KiB
Markdown
56 lines
2.1 KiB
Markdown
---
|
||
title: "Shared Account"
|
||
type: entity
|
||
entity_type: concept
|
||
tags:
|
||
- AWS
|
||
- Multi-Account
|
||
- Landing-Zone
|
||
- Architecture
|
||
sources:
|
||
- ctp-topic-16-cross-account-terraform-modules.md
|
||
last_updated: 2026-05-15
|
||
---
|
||
|
||
## Overview
|
||
|
||
Shared Account(共享账号)是 AWS Landing Zone 架构中的核心管理账号,托管 Jenkins CI/CD 平台、镜像仓库等公共服务,并作为跨账号部署的信任源(Trust Source)。在整个落地分区中,它是唯一被允许通过 Assume Role 访问 Workload 账号的账户。
|
||
|
||
## Role in Landing Zone
|
||
|
||
在 AWS Landing Zone 多账号架构中,Shared Account(也称 Shared Services Account)承担以下职责:
|
||
|
||
| 职责 | 说明 |
|
||
|------|------|
|
||
| CI/CD 托管 | 托管 Jenkins、构建代理等持续交付基础设施 |
|
||
| 镜像仓库 | 存储 Docker AMI、ECS 容器镜像等 |
|
||
| 跨账号部署 | 作为唯一信任源,通过 Assume Role 访问目标 Workload 账号 |
|
||
| 公共服务供给 | 提供 DNS(InfoBlocks 账号)、NTP 等跨账号共享服务 |
|
||
|
||
## Security Model
|
||
|
||
- **Blast Radius 控制**:Workload 账号之间无直接信任关系,权限集中于 Shared Account
|
||
- **最小权限原则**:EDR 仅持有执行部署所需的最小 IAM 权限(两个专用角色)
|
||
- **审计可追溯**:Shared Account 的所有操作集中记录,便于安全审计
|
||
|
||
## Relationship with ECS Deploy Runner
|
||
|
||
[[ECS-Deploy-Runner]] 运行在 Shared Account 的 ECS 集群中,当 Jenkins 触发部署时,EDR 以 Shared Account 身份通过 Assume Role 访问目标账号:
|
||
|
||
```
|
||
Shared Account (EDR) → Assume Role → TF State Bucket Accessor (目标账号)
|
||
Shared Account (EDR) → Assume Role → Cross-account ECS Deploy Runner Role (目标账号)
|
||
```
|
||
|
||
## Related Entities
|
||
|
||
- [[AWS-Landing-Zone]]:Shared Account 是 Landing Zone 架构的核心组件
|
||
- [[ECS-Deploy-Runner]]:运行在 Shared Account 中
|
||
- [[Fibos]]:Shared Account 部署方案的设计者
|
||
|
||
## Related Concepts
|
||
|
||
- [[Blast-Radius]]:Shared Account 的核心安全价值
|
||
- [[Assume-Role]]:跨账号身份切换机制
|
||
- [[Cross-account-Terraform-Modules]]:Shared Account 支撑的核心功能
|