I have a multi OU AWS setup with a number of member accounts, a management account and a root account. My goal here is to have a central repository of users and not create accounts across all of the member accounts.
I understand that I need to have a trust relationship between the two member accounts for cross account access. But according to best practice where is the best place to create the actual IAM groups and accounts? Should the users be created in the management account in this setup?
Any help is appreciated.
I would say yes, if you can avoid have load in the master account you should use a management account. But it could be an ide to create a new IAM-account.
Another solution that I like is to use is AWS SSO.