DLT Secure Handling of AWS Accounts and Organizations

This article outlines the processes and mechanisms that ensure a baseline security posture across DLT’s ecosystem of AWS accounts and organizations.

Root Credentials Management (Master and Linked Account Levels)

DLT's contractual obligations in our partnership with AWS requires us to maintain "root" credentials at the Master Payer account level.  Customers and partnership will receive admin level access to their linked accounts as they are requested and created.

For the Master Payer accounts, DLT follows three (3) principles for managing the root user in alignment with AWS best practices:

  1. Enable multi-factor authentication (MFA) on root user credentials
  2. Remove root user access keys
  3. Secure root user’s password

Root access is not to be used after account creation, with the exception of AWS Tasks that require AWS account root user credentials. These tasks would likely only be requested by customers who have shared access in the Master Payer account.

MFA for DLT and Customer accounts:

MFA is required on all DLT managed accounts and should be established immediately prior to use of AWS resources, including root on payer accounts. In addition, if a customer requires the "dlt-support" IAM user to use MFA, Set up the VIRTUAL MFA and log the Key into the Accounts Vault so other engineers can request to link the key to their desired device.

(AOT version 5+, in-development) DLT Billing and Support Role 

This employs federated Cross Account Access (see AWS Cross Account Access - Switch Role KB Article). The "dlt-billing-support" role is created automatically through the use of the DLT Account Onboarding Tool and uses a read only policy to include only rights for the following:

  • Allow Full Access to Billing Console
  • Allow Access to Support Services
  • Allows All actions for credentials 
  • Allows DLT to view stats on IAM dashboard 
  • Allows DLT to view the DLT group policy
  • Allows DLT to list users in IAM console 
  • Create and delete virtual MFA device 
  • Sync own MFA device 
  • List Virtual MFA devices 

(AOT version 1-4, 2016 to 2019/20) DLT-Support IAM user for standard accounts under a DLT organization:

The "dlt-support" user is created automatically through the use of the DLT Account Onboarding Tool and uses a read only policy to include only rights for the following:

  • Allow Access to Support Services
  • Allows All actions for credentials
  • Allows user to see stats on IAM dashboard
  • Allows user to view the DLT group policy
  • Allows user to list users in IAM console
  • Create and delete virtual MFA device
  • Sync own MFA device
  • List Virtual MFA devices

CloudCheckr Role

CloudCheckr role is enabled using CloudFormation Template automated with AOT. The current policy can be found here.

 Customer Organization Admin Group

Customers given access to Organizations do so using the DLT-configured IAM group and policy for Organization Administrators. This access has full administrative access with the following explicit exceptions:

  • Billing Console
  • Any IAM actions to modify/delete Billing/Support and CloudCheckr roles/policies

Key Management in all Accounts:

Using user access keys for an IAM user in a customer account should be avoided.  For any situation that requires persistent use of an access key (Monitoring of services for example) a role should be created and assigned specific permissions in order to accomplish the task.



Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request


Please sign in to leave a comment.
Powered by Zendesk