Restricting Admin Access to Sensitive Accounts
The Cloud Posse Reference Architecture provides standard workflows (described elsewhere) for managing resources in a multi-account AWS organization via Terraform. Those workflows cannot apply to certain very sensitive operations due to technical limitations, and by design should require some kind of elevated privilege to perform in sensitive accounts. This document describes options for how to restrict access and perform those operations. In particular, it describes the differing options and configurations available with different versions of the Cloud Posse Reference Architecture.
What Are the "Sensitive" Accounts?
In the Cloud Posse Reference Architecture, some accounts are considered
sensitive and organizations should consider tightly controlling access to them,
even more so than "production" accounts. This document will focus on the most
sensitive accounts, root
and identity
, but the same principles can be
applied to any account, and organizations should consider treating the audit
and security
accounts as sensitive as well.
- The
root
account is the first account created and is what AWS terms the "Organization Management Account". It is the only account that can create other accounts, and as such, any privileged user in this account can assume theOrganizationAccountAccessRole
in any other account, and therefore has full administrative access to all accounts in the organization. - The
identity
account is the account where IAM roles are defined and where users initially log in. This is separated from theroot
account for many reasons, chief among them being that privileged users in this account cannot automatically assume theOrganizationAccountAccessRole
in other accounts. Other than IAM Roles, very minimal resources are created in this account.
What Are the Basic Access Controls in Place?
The standard Cloud Posse Reference Architecture configuration creates IAM
roles Cloud Posse identifies as "teams" in the identity
account. These
roles are assumed by users when they log in via Federated SSO using SAML.
Starting with Components version 1.238.0
Users can also create corresponding AWS SSO (now called AWS IAM Identity Center)
Permission Sets that can be assumed by users by logging in via AWS SSO.
The "teams" correspond to traditional access control "groups" (although they are implemented as IAM Roles for technical reasons), and are usually configured to provide access to most if not all of the accounts in the organization via what Cloud Posse calls "team roles". The "team roles" are a consistent set of IAM Roles in each account: they have the same permissions in every account and by default allow the same teams to access them in every account.
What is SuperAdmin?
The SuperAdmin
user is a special IAM User in the root
account that has
full AdministratorAccess permissions in root
, and can assume the OrganizationAccountAccessRole
in any other account,
giving it full AdministratorAccess to all accounts. It is intended
to be used in situations where it is not possible to use teams or team roles
(such as initially creating the teams). It should not be used for day-to-day work, and
should be tightly controlled.
Who Should Have Access to the Sensitive Accounts and How?
Some organizations choose to use the SuperAdmin
user as the only
way to make changes in the sensitive accounts, while others choose to
enable certain teams to also make changes to the sensitive accounts.
Considerations include the practicality of controlling access to the
SuperAdmin
user and any privileged team, and the ability to audit
changes made by the SuperAdmin
or privileged teams, especially
tracking who the human user is that is using the SuperAdmin
credentials
or assuming the team roles.
This document does not attempt to provide or recommend a single solution, but rather to describe the options available and how to implement them.
Generic Details
In the sections below, we will get into details specific to differing versions of the Cloud Posse Reference Architecture. In this section, we will describe the basic concepts and terminology that apply to all versions.
SuperAdmin
The SuperAdmin
user is a special IAM User in the root
account that has
full AdministratorAccess permissions in root
, and can assume the
OrganizationAccountAccessRole
in any other account, giving it full
AdministratorAccess to all accounts. The SuperAdmin
user does not have
a password and cannot log into the AWS Web console, but it does have
MFA enabled. It is created and managed manually by the root user in the root
account and is only used via its Access Key. Its access key can be disabled
or deleted as desired to prevent its use.
For technical reasons, only SuperAdmin
can deploy the following components:
tfstate-backend
to create the S3 bucket and DynamoDB table for Terraform state storage and IAM roles that can be assumed to access the stateaccount
to create new accounts in the organizationaccount-map
to collect and publish critical information about the accounts, used by other components.
Although in some instances a team role can be used to update the following components,
there is a risk that during the update process, the team or team role will
have its permissions removed (before different permissions are later added),
causing the update to fail and leaving everyone locked out of the accounts.
So it is recommended that SuperAdmin
be the only user to update these
components:
aws-sso
aws-saml
aws-teams
aws-team-roles
The "ops" and "empowered" teams
The team and team role names have changed over time, and are fully configurable and customizable anyway, so it is impossible to consistently refer to them by their actual names. In this document we will use the names "ops" and "empowered" to refer to the teams in a generic way, with the understanding that the actual names will be different in different installations.
- The teams and team roles are implemented as IAM Roles.
- The teams' IAM Roles have limited permissions. They are not intended to be used directly, but rather to provide access to the team roles.
- When using Terraform, in most cases Terraform automatically assumes a
team role in the account where changes are being made. A user's ability to
make changes in an account is determined by whether the team they are logged
into in the
identity
account can assume the required team role in the account where the changes are being made.
The "ops" team can assume the Terraform role in all accounts except for
identity
and root
(and possibly other sensitive accounts). This allows that
team to administer all other accounts via Terraform and is suitable for
day-to-day work.
The "empowered" team can assume the Terraform role in all accounts, including
identity
and root
. This allows that team to administer all accounts via
Terraform. This team is intended to be used only for special circumstances.
To manage the identity
and root
accounts, the most common options are:
- Do not create an "empowered" team and only use the
SuperAdmin
user to make changes in sensitive accounts - Create a separate "empowered" team and limit access to it
- Empower the "ops" team, so that there is only one team to manage all accounts
TODO:
Weedy Technical Details of Terraform Configuration
- Access role in target account
- Access read/write role in root account to access TF state backend
- Access read-only role in root account to access TF state backend
providers.tf
andaccount-map
selection ofrole_arn
backend
andremote-state
configuration ofrole_arn
- The
privileged
input variable
Configuration Variations
- Name of "ops" team
- Name of "empowered" team
- Name of Access role in target account
- Name and ownership of Access read/write role in root account to access TF state backend
- Name and ownership of Access read-only role in root account to access TF state backend
Probably Not Needed
Among the "team roles" are the admin
and terraform
roles, which have
full AdministratorAccess permissions. Access to these roles in the root
and identity
accounts should be tightly controlled. Unfortunately,
because of the way the Cloud Posse Reference Architecture evolved,
there is no single set of instructions or configuration changes to
accomplish this. Furthermore, organizations have different priorities
for ease of use versus security, so there are multiple options
to consider regardless of the base configuration.