This is meant to be a quick recap of some recommended custom AWS Groups and the included Managed Policies.

A Network Admin Group

A Security Auditor Group

Development - Developers Group

A Break Glass IAM Admin Group

Some characteristics of the policies that need to go in here

  • Breakglass policy is essentially a full Admin access policy, with the key distinction that it is not console based (only programmatic admin).
  • IAM Access keys are generated using a breakglass workflow
  • The breakglass workflow requires additional authorization, which can be manual or automated (SNS and Lambda driven).
  • IAM Breakglass keys are short lived (expire after 60 minutes or some preset time).

KMS Specific IAM Group

  • The easiest thing is to use the PowerUseAccess above
  • However, a more customized policy can be built per CMK. The way KMS policies work is the policy is attached to a CMK (not to an IAM identity). Each CMK gets ONE policy - this can contain all the users, groups allowed to access the CMK.
  • So - it is only possible to create such policies on individual CMKs (here is a good aws doc with sample KMS policies)

Short Term Access Group

These consist of roles (short term access) that provide access to common AWS resources.

This is particularly useful for short term access to, for instance, an S3 (for on premises data backup  to S3).  You would define the role within AWS' IAM and then configure it on the client (in the example, we are using CommVault as the on-prem client to backup to S3)

  • Host URL: outpost_ID.s3-outposts.region.amazonaws.com
    For example, oper-aagadfad.s3-outposts.us-east-1.amazonaws.com.
  • Access key: Assume_Role_ARN|-|Account_Access_Key
    For example, arn:aws:iam::434528017653:role/outpost-shared-commvault|-|BKAAZJHDCPFRNITGW34L.
  • Secret key: The secret key of the account.
    For example, xxccxvcvcvcvcvcc.

Read Only Access to the Console

Open the AWS Console and type IAM in the search box.

Then, at the IAM dashboard (left side of the screen), select the Users section and then click on the Add User button.

Here, enter a user name and enable the Programmatic Access checkbox (if the user runs a tool that need to access to AWS services using an API call) and AWS Management Console access checkbox (if the user needs to access to the console). Click the Next: Permissions button.

Attach existing policies --> type ReadOnlyAccess

Move down until the policy “ReadOnlyAcces” and enable the checkbox beside that policy.

Summary

This is meant to be a quick recap of some recommended custom AWS Groups and Policies.



Need an experienced AWS/GCP/Azure Professional to help out with your Public Cloud Strategy? Set up a time with Anuj Varma.