About This Architecture
Enterprise resource management in AWS using federated identity with Microsoft Entra ID, AWS IAM Identity Center, and role-based access control across multiple AWS accounts. The architecture implements least-privilege access through Permission Sets mapped to Entra ID groups, eliminating direct IAM user accounts and enforcing SSO-only authentication with MFA and conditional access policies. AWS Organizations centralizes governance via Service Control Policies, while a dedicated Security/Log Archive Account aggregates CloudTrail, AWS Config, GuardDuels, and Security Hub for compliance and auditing. Workload accounts isolate production and development resources—S3 buckets for 3D projects and renders, FSx for Lustre for high-performance compute, and EC2 instances for rendering—with role-specific access matrices defining read, write, and management permissions for 3D Artists, Developers, Network Administrators, Security Auditors, FinOps Analysts, and Cloud Administrators. This design demonstrates enterprise-grade identity federation, centralized policy enforcement, and audit-ready resource isolation for regulated industries. Fork this diagram on Diagrams.so to customize Permission Sets, add additional workload accounts, or adapt the access matrix for your organization's roles and compliance requirements.