Follow

How To - Configure DLT Support Account for AWS

 

Create IAM Group 

  1. Create a group within Identity Access & Management (IAM) named DLT-support, click Next Stepimage001.png
  2. At the Attach Policy Screen just select Next Step, we will circle back to this later in the instructionsimage002.pngimage004.png
  3. On the Review Screen, click Create Group

 

Create IAM User Account 

  1. Create an (IAM) User Account named DLT-supportimage006.jpg
    **Note** De-select Generate an access key for each user

  2. Click Create and the IAM User Account is listed in the User Account section

Add IAM User to DLT-support Group 

  1. Click on DLT-support IAM User Account and select Add User To Groupsimage007.png
  2. Select DLT-support Group and click Add To Group in the bottom right corner
  3. Now you will see the DLT-support user account is now a member of the DLT-support Groupimage008.png

 

Create Password for IAM User Account 

  1. Select DLT-support User Account
  2. In the bottom right corner, under Security Credentials locate and click Managed Passwordimage010.png
  3. Once in Manage Password click the radio button Assign Custom Password
  4. Type in password and confirm: Solutions123
  5. Click and select radio button Require User to Create a New Password at Next Sign-inimage012.png
  6. Click Apply

Creating and Adding IAM Policy for DLT Support Group 

Our DLT Support Custom Policy is a read-only policy that strictly allows DLT Service Center Support to access the Support panel of your AWS Dashboard.  This policy prevents DLT Service Center Support from being able to view any AWS service within your Dashboard.

 

  1. Within the IAM Dashboard, select Policies a Policy Wizard will walk you through creating a customer policy and assigning it to a group or individual user.

    image014.png

  2. Click Get Started
  3. Click Create Policy

    image016.png

  4. Click Create Your Own Policy

    image018.png

  5. Under Review Policy enter Policy name: DLT-AWS-Support-Services-Access
  6. Copy and Paste into text editor,  modify and perform find and replace all for the following values

    **NOTE** Ensure there are no dashes or extra spaces
    Find: <AWSAccountNumber>  Replace: <AWSAccountNumber> 
    
    {
        "Version": "2012-10-17",
        "Statement": [{
            "Sid": "AllowDLTSupportToAccessAWSSupportServices",
            "Effect": "Allow",
            "Action": "support:*",
            "Resource": "*"
        },
        {
            "Sid": "AllowUsersAllActionsForCredentials",
            "Effect": "Allow",
            "Action": ["iam:*LoginProfile",
            "iam:*AccessKey*",
            "iam:*SigningCertificate*",
            "iam:ChangePassword",
            "iam:ListGroupsForUser",
            "iam:GetUserPolicy",
            "iam:ListUserPolicies"],
            "Resource": ["arn:aws:iam:::user/${aws:username}"]
        },
        {
            "Sid": "AllowDLTSupportUserToViewDLTGroupPolicy",
            "Effect": "Allow",
            "Action": ["iam:GetGroupPolicy",
            "iam:ListGroupPolicies"],
            "Resource": ["arn:aws:iam:::group/DLT-support"]
        },
        {
            "Sid": "AllowUsersToSeeStatsOnIAMConsoleDashboard",
            "Effect": "Allow",
            "Action": ["iam:GetAccount*",
            "iam:ListAccount*",
            "iam:GetAccountPasswordPolicy"],
            "Resource": ["*"]
        },
        {
            "Sid": "AllowUsersToListUsersInConsole",
            "Effect": "Allow",
            "Action": ["iam:ListUsers"],
            "Resource": ["arn:aws:iam:::user/*"]
        },
        {
            "Sid": "AllowUsersToCreateDeleteTheirOwnVirtualMFADevices",
            "Effect": "Allow",
            "Action": ["iam:*VirtualMFADevice"],
            "Resource": ["arn:aws:iam:::mfa/${aws:username}"]
        },
        {
            "Sid": "AllowUsersToEnableSyncDisableTheirOwnMFADevices",
            "Effect": "Allow",
            "Action": ["iam:DeactivateMFADevice",
            "iam:EnableMFADevice",
            "iam:ListMFADevices",
            "iam:ResyncMFADevice"],
            "Resource": ["arn:aws:iam:::user/${aws:username}"]
        },
        {
            "Sid": "AllowUsersToListVirtualMFADevices",
            "Effect": "Allow",
            "Action": ["iam:ListVirtualMFADevices"],
            "Resource": ["arn:aws:iam:::mfa/*"]
        }]
    }
    
  7. Once complete, select all and copy.
  8. Insert script into Policy Document.
  9. Validate Policy to validate policy is configured correctly.
  10. Click "Create Policy"

 

Assign DLT Support Custom Policy to DLT-support Group 

  1. Within the IAM Dashboard, select Groups
  2. Locate the DLT-support Group and select "Attach Policy"

    image023.jpg

  3. In the Search field, enter DLT-AWS-Support-Services-Access to locate the DLT Support Custom Policy

    image025.jpg
  4. Select the policy and click Attach Policy

    Account Summary will show you that the DLT Support Custom Policy is now attached to the DLT-support Group

  5. Update Case to notify DLT Operations Center this task is complete and validate account access.

 

 

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

0 Comments

Article is closed for comments.
Powered by Zendesk