Versions Compared

Old Version 1

changes.mady.by.user Joe Ferris (Unlicensed)

Saved on

compared with

New Version Current

changes.mady.by.user Jared Turner

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Info

The

...

To provide users with AWS permissions:

  • As part of deploying the platform, single sign on should be configured for your user directory.

  • Create a group in your user directory, such as a Google group or an ActiveDirectory security group.

  • Create permission sets in the Identity account to describe what users should be able to do in an account.

  • Assign permissions sets to your group for accounts that group should be able to access.

Once these steps are complete, users can use single sign on to access your landing zone and sign into individual AWS accounts using the permission sets assigned to them.

Accessing AWS

Your organization will have a landing zone URL configured in IAM Identity Center, such as https://example.awsapps.com/start/.

...

Managing Groups

You can synchronize groups in IAM identity center with your user directory, such as Google or ActiveDirectory. Add users to groups based on which permissions they should have in AWS.

...

Managing Permissions For Groups

We recommend that you manage your permission sets and group assignments using Terraform. You can use the terraform-aws-iam-permission-sets Terraform module to provision and assign permission sets in the Identity account.

Create a new module in the infrastructure repository called permissions:

Code Block
module "permission_sets" {
  source = "github.com/thoughtbot/terraform-aws-iam-permission-sets?ref=v0.2.0"

  # Define your permission sets. You can attach AWS managed policies or create a
  # custom, inline policy.
  permission_sets = [
    {
      name        = "DeveloperAccess"
      description = "Read and write access to non-administrative resources"

      managed_policies = [
        "arn:aws:iam::aws:policy/PowerUserAccess",
      ]
    },
    {
      name             = "InfrastructureAdmin"
      description      = "Full administrative access for Terraform"
      session_duration = "PT1H"

      managed_policies = [
        "arn:aws:iam::aws:policy/AdministratorAccess",
      ]
    },
    {
      name        = "ReadOnlyAccess"
      description = "Read access to all resources"

      managed_policies = [
        "arn:aws:iam::aws:policy/job-function/ViewOnlyAccess",
      ]
    },
    {
      name             = "SecretsAccess"
      description      = "Ability to read and write application secrets"
      session_duration = "PT1H"

      managed_policies = [
        "arn:aws:iam::aws:policy/SecretsManagerReadWrite",
      ]
    }
  ]

  # For each group, assign permission sets to accounts that group should access.
  group_assignments = {
    aws-admins = {
      Backup     = ["InfrastructureAdmin", "ReadOnlyAccess"]
      Identity   = ["InfrastructureAdmin", "ReadOnlyAccess", "SecretsAccess"]
      Network    = ["InfrastructureAdmin", "ReadOnlyAccess"]
      Operations = ["InfrastructureAdmin", "ReadOnlyAccess", "SecretsAccess"]
      Production = ["InfrastructureAdmin", "ReadOnlyAccess"]
      Sandbox    = ["InfrastructureAdmin", "ReadOnlyAccess", "SecretsAccess"]
    }

    aws-sandbox-developers = {
      Sandbox = ["DeveloperAccess", "ReadOnlyAccess"]
    }

    aws-production-developers = {
      Production = ["DeveloperAccess", "ReadOnlyAccess"]
    }
  }

  default_session_duration = "PT8H"

  # You must map each account name to its account ID, as the Identity account
  # does not have permission to list the accounts in the organization.
  account_ids = {
    Backup     = "000000000000"
    Identity   = "000000000000"
    Network    = "000000000000"
    Operations = "000000000000"
    Production = "000000000000"
    Sandbox    = "000000000000"
  }
}

...

AWS Platform Guide now lives at thoughtbot.com

Visit Access and Permissions to access this page's content