AWS Access Architecture

Summary

• This document contains the AWS Access Management design and bestpractices summary.

• All IAM-User accounts must have no access to alll AWS Services.

• For an IAM-User to gain access. It must be a member of group that can assume the desired Role.

How To SETUP

User

• AWS IAM User

• ReadOnly

• Ensure MFA is enabled

Group

• Create a group and name it AssumeAdmin.

• Add the admin users to the group.

Role

• Create a role

  • Name: Admin

  • Type: Another AWS Account.

  • For DevOps PH its 488756103694 and check the Require MFA.

Policy

• Create a policy that is capable of assuming a role.

  • Name: AssumeAdminPolicy

  • JSON Value

"Action": ["sts:AssumeRole","iam:PassRole" ],

"Resource": [

"arn:aws:iam::<ACCOUNT_ID>:role/<ROLE_NAME>",

"arn:aws:iam::168393062562:role/Admin”,

"arn:aws:iam::<ACCOUNT_ID>:role/<ROLE_NAME>"]

• Attach this policy to the AssumeAdmin group

Assume role from the same or other AWS accounts

• If you have AWS multiple accounts, you don't need to register each user in each account.

• A user can use the same account and assume a role from the same or another account.

• Usually the accounts are created in DevOps AWS account.