Hub & Spoke IAM Roles for AWS Multi-Account Security at Scale
Deploy centralized IAM roles across your entire AWS Organization using CDK Pipelines — a self-mutating pipeline that automatically deploys to every account. No Control Tower required.
Built entirely in Python CDK. If your team already writes Python, you can manage IAM infrastructure in the same language without investing in Terraform or HCL.
AWS Control Tower deploys AWSControlTowerExecution with AdministratorAccess into every account. That's too broad for security automation that only needs specific permissions for detection, response, and compliance.
FleetAccess deploys constrained roles with explicit permissions, following least-privilege principles while still enabling cross-account automation.
| Role | Deployed To | Purpose |
|---|---|---|
hub-001 |
Security Account | Central role that assumes into all other accounts. Trusted by Lambda, EC2, CodeBuild. |
org-read-only-001 |
Organization Account | Read-only access to Organizations API (List/Describe accounts, OUs). Assumed by hub-001. |
cloudtrail-lake-read-role |
Organization Account | Read-only access to CloudTrail Lake (query events). Assumed by hub-001. |
spoke-001 |
Every member account | Security automation role with scoped permissions. Assumed by hub-001. |
All roles are created under /security/ IAM path and enforce aws:SecureTransport condition.
- CDK Pipeline is deployed to the Organization account
- Pipeline creates a CodeCommit repo and self-mutating CodePipeline
- Stage 1: Deploys
hub-001to Security Account,org-read-only-001andcloudtrail-lake-read-roleto Org Account - Stage 2: Calls
organizations:ListAccounts, deploysspoke-001to every member account in parallel - Push a change to CodeCommit — pipeline self-mutates and re-deploys everywhere
- CDK bootstrapped in all accounts — see CDK Bootstrap at Scale
- Organization and Security account must be trusted in the CDK bootstrap
npm install -g aws-cdk
git clone https://github.com/raajheshkannaa/fleet-access
cd fleet-access
python3 -m venv .venv
source .venv/bin/activate
pip install -r requirements.txtEdit stacks/config.py with your account IDs:
HUB_ACCOUNT = '123456789012' # Security/Automation account
ORG_ACCOUNT = '987654321098' # Organization management accountOr set as environment variables: HUB_ACCOUNT, ORG_ACCOUNT.
# Verify stacks
cdk ls
# Deploy with Organization account credentials
export AWS_PROFILE=aws-org-profile
cdk deployFirst deployment creates the pipeline — it will fail because no code has been pushed yet. Push your code to the CodeCommit repo created by CDK and the pipeline takes over.
FleetAccess is the foundation for all cross-account security tooling:
- aws-cloudtrail-lake-detections — Detection engineering across CloudTrail Lake
- green-stone — Security group change detection & ChatOps revert
- CDK IAM Floyd — for fine-grained IAM permission building
- CodePipeline Slack Approval — approve IAM role changes from Slack
MIT