Follow

AWS Account Access Overview

This article describes the types of account access for customers and DLT to achieve their AWS goals.

There are currently five default IAM entities:

  1. OrgAdmin - Used by customers for AWS Organizations administration
  2. AWS-PA - Used by DLT Project Accounts to facilitate monthly billing
  3. DLT-Ops - Used by the DLT's Confirmed Stateside Support staff for providing technical support
  4. DLT-Auditor - Used by DLT auditors and analysts to ensure
  5. CloudCheckr - Provides access to DLT's billing and utilization tool. Additionally, used by DLT Project Accountants to accurately calculate monthly billing 

 

Purpose of OrgAdmin:

This IAM User allows customers to perform administration of their AWS Organization and related services at the Payer account level.  The OrgAdmin IAM account is only used by customers and is designated during the on-boarding process.

OrgAdmin Policy: 

The following security policy is provided for your awareness.

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "GeneralAllowList",
"Effect": "Allow",
"Action": [
"ds:*",
"sso:*",
"sso-directory:*",
"cloudtrail:*",
"servicequotas:*",
"license-manager:*",
"config:*",
"ram:*",
"servicecatalog:*",
"fms:*",
"sns:GetTopicAttributes",
"organizations:DescribeOrganization",
"organizations:ListAWSServiceAccessForOrganization",
"organizations:DescribeAccount",
"iam:GetRole",
"iam:CreateServiceLinkedRole",
"cloudwatch:*",
"events:*",
"logs:*",
"sns:ListTopics",
"SNS:SetTopicAttributes",
"lambda:ListFunctions",
"waf-regional:*",
"iam:ListRoles"
],
"Resource": "*"
},
{
"Sid": "SSORestriction",
"Effect": "Deny",
"Action": "sso:PutPermissionsPolicy",
"Resource": "*"
},
{
"Sid": "AllowViewAccountInfo",
"Effect": "Allow",
"Action": [
"iam:GetAccountPasswordPolicy",
"iam:GetAccountSummary",
"iam:ListVirtualMFADevices"
],
"Resource": "*"
},
{
"Sid": "AllowManageOwnPasswords",
"Effect": "Allow",
"Action": [
"iam:ChangePassword",
"iam:GetUser"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnAccessKeys",
"Effect": "Allow",
"Action": [
"iam:CreateAccessKey",
"iam:DeleteAccessKey",
"iam:ListAccessKeys",
"iam:UpdateAccessKey"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnSigningCertificates",
"Effect": "Allow",
"Action": [
"iam:DeleteSigningCertificate",
"iam:ListSigningCertificates",
"iam:UpdateSigningCertificate",
"iam:UploadSigningCertificate"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnSSHPublicKeys",
"Effect": "Allow",
"Action": [
"iam:DeleteSSHPublicKey",
"iam:GetSSHPublicKey",
"iam:ListSSHPublicKeys",
"iam:UpdateSSHPublicKey",
"iam:UploadSSHPublicKey"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnGitCredentials",
"Effect": "Allow",
"Action": [
"iam:CreateServiceSpecificCredential",
"iam:DeleteServiceSpecificCredential",
"iam:ListServiceSpecificCredentials",
"iam:ResetServiceSpecificCredential",
"iam:UpdateServiceSpecificCredential"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnVirtualMFADevice",
"Effect": "Allow",
"Action": [
"iam:CreateVirtualMFADevice",
"iam:DeleteVirtualMFADevice"
],
"Resource": "arn:aws:iam::*:mfa/${aws:username}"
},
{
"Sid": "AllowManageOwnUserMFA",
"Effect": "Allow",
"Action": [
"iam:DeactivateMFADevice",
"iam:EnableMFADevice",
"iam:ListMFADevices",
"iam:ResyncMFADevice"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AWSOrg",
"Effect": "Allow",
"Action": "organizations:*",
"Resource": "*"
},
{
"Sid": "S3Billingbucket",
"Effect": "Deny",
"Action": "s3:*",
"Resource": "arn:aws:s3:::163074657237-dlt-billing"
},
{
"Sid": "S3Allow",
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
},
{
"Sid": "AWSConfig",
"Effect": "Allow",
"Action": [
"iam:PassRole",
"config:PutConfigRule",
"ssm:ListDocuments"
],
"Resource": "*"
},
{
"Sid": "DirectoryService",
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:DeleteTags",
"ec2:CreateTags",
"ec2:DeleteNetworkInterface",
"ec2:DescribeSecurityGroups",
"ec2:RevokeSecurityGroupIngress",
"ec2:CreateNetworkInterface",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeVpcs",
"ec2:CreateSecurityGroup",
"ec2:RevokeSecurityGroupEgress",
"ec2:DeleteSecurityGroup",
"ec2:DescribeSubnets"
],
"Resource": "*"
},
{
"Sid": "ServiceCatalogAdmin",
"Effect": "Allow",
"Action": [
"cloudformation:CreateStack",
"cloudformation:DeleteStack",
"cloudformation:DescribeStackEvents",
"cloudformation:DescribeStacks",
"cloudformation:SetStackPolicy",
"cloudformation:UpdateStack",
"cloudformation:CreateChangeSet",
"cloudformation:DescribeChangeSet",
"cloudformation:ExecuteChangeSet",
"cloudformation:ListChangeSets",
"cloudformation:DeleteChangeSet",
"cloudformation:ListStackResources",
"cloudformation:TagResource",
"cloudformation:CreateStackSet",
"cloudformation:CreateStackInstances",
"cloudformation:UpdateStackSet",
"cloudformation:UpdateStackInstances",
"cloudformation:DeleteStackSet",
"cloudformation:DeleteStackInstances",
"cloudformation:DescribeStackSet",
"cloudformation:DescribeStackInstance",
"cloudformation:DescribeStackSetOperation",
"cloudformation:ListStackInstances",
"cloudformation:ListStackSetOperations",
"cloudformation:ListStackSetOperationResults"
],
"Resource": [
"arn:aws:cloudformation:*:*:stack/SC-*",
"arn:aws:cloudformation:*:*:stack/StackSet-SC-*",
"arn:aws:cloudformation:*:*:changeSet/SC-*",
"arn:aws:cloudformation:*:*:stackset/SC-*"
]
},
{
"Effect": "Allow",
"Action": [
"cloudformation:CreateUploadBucket",
"cloudformation:GetTemplateSummary",
"cloudformation:ValidateTemplate",
"iam:GetGroup",
"iam:GetRole",
"iam:GetUser",
"iam:ListGroups",
"iam:ListRoles",
"iam:ListUsers",
"servicecatalog:*",
"ssm:DescribeDocument",
"ssm:GetAutomationExecution",
"ssm:ListDocuments",
"ssm:ListDocumentVersions",
"config:DescribeConfigurationRecorders",
"config:DescribeConfigurationRecorderStatus"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:PassedToService": "servicecatalog.amazonaws.com"
}
}
}
]
}

 

 

Purpose of AWS-PA:

This IAM User is used at the Payer account level to process monthly billing for customers. The AWS-PA IAM account is only used by the internal DLT Project Accounting team.


AWS-PA Policy:

The following security policy is attached to AWS-PA and provided for your awareness.

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowViewAccountInfo",
"Effect": "Allow",
"Action": [
"iam:GetAccountPasswordPolicy",
"iam:GetAccountSummary",
"iam:ListVirtualMFADevices"
],
"Resource": "*"
},
{
"Sid": "AllowManageOwnPasswords",
"Effect": "Allow",
"Action": [
"iam:ChangePassword",
"iam:GetUser"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnAccessKeys",
"Effect": "Allow",
"Action": [
"iam:CreateAccessKey",
"iam:DeleteAccessKey",
"iam:ListAccessKeys",
"iam:UpdateAccessKey"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnSigningCertificates",
"Effect": "Allow",
"Action": [
"iam:DeleteSigningCertificate",
"iam:ListSigningCertificates",
"iam:UpdateSigningCertificate",
"iam:UploadSigningCertificate"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnSSHPublicKeys",
"Effect": "Allow",
"Action": [
"iam:DeleteSSHPublicKey",
"iam:GetSSHPublicKey",
"iam:ListSSHPublicKeys",
"iam:UpdateSSHPublicKey",
"iam:UploadSSHPublicKey"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnGitCredentials",
"Effect": "Allow",
"Action": [
"iam:CreateServiceSpecificCredential",
"iam:DeleteServiceSpecificCredential",
"iam:ListServiceSpecificCredentials",
"iam:ResetServiceSpecificCredential",
"iam:UpdateServiceSpecificCredential"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnVirtualMFADevice",
"Effect": "Allow",
"Action": [
"iam:CreateVirtualMFADevice",
"iam:DeleteVirtualMFADevice"
],
"Resource": "arn:aws:iam::*:mfa/${aws:username}"
},
{
"Sid": "AllowManageOwnUserMFA",
"Effect": "Allow",
"Action": [
"iam:DeactivateMFADevice",
"iam:EnableMFADevice",
"iam:ListMFADevices",
"iam:ResyncMFADevice"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "DenyAllExceptListedIfNoMFA",
"Effect": "Deny",
"NotAction": [
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:GetUser",
"iam:ListMFADevices",
"iam:ListVirtualMFADevices",
"iam:ResyncMFADevice",
"sts:GetSessionToken"
],
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
}
},
{
"Sid": "AWSOrganizationsReadOnlyAccess",
"Effect": "Allow",
"Action": [
"organizations:Describe*",
"organizations:List*"
],
"Resource": "*"
},
{
"Sid": "AWSSupportAccess",
"Effect": "Allow",
"Action": [
"support:*"
],
"Resource": "*"
},
{
"Sid": "Billing",
"Effect": "Allow",
"Action": [
"aws-portal:*Billing",
"awsbillingconsole:*Billing",
"aws-portal:*Usage",
"awsbillingconsole:*Usage",
"aws-portal:*PaymentMethods",
"awsbillingconsole:*PaymentMethods",
"budgets:ViewBudget",
"budgets:ModifyBudget",
"cur:*"
],
"Resource": "*"
},
{
"Sid": "ListBuckets",
"Effect": "Allow",
"Action": [
"s3:PutAccountPublicAccessBlock",
"s3:GetAccountPublicAccessBlock",
"s3:ListAllMyBuckets",
"s3:ListJobs",
"s3:CreateJob",
"s3:HeadBucket"
],
"Resource": "*"
},
{
"Sid": "AllowAllDLTBillingBucket",
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::*-dlt-billing"
}
]
}

 

 

Purpose of DLT-Ops:

This IAM User is used at the Payer account level to provide operational support during the life of the AWS contract. Activities include the collaboration of Confirmed Stateside Support troubleshooting, limit increases, and other related technical assistance. This IAM account is only used by DLT Confirmed Stateside Support staff.le.

DLT-Ops Policy:

The following security policy is attached to DLT-Ops and provided for your awareness.

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowDLTSupportToAccessAWSSupportServices",
"Effect": "Allow",
"Action": "support:*",
"Resource": "*"
},
{
"Sid": "AllowUsersAllActionsForCredentials",
"Effect": "Allow",
"Action": [
"iam:*LoginProfile",
"iam:*AccessKey*",
"iam:*SigningCertificate*",
"iam:ChangePassword",
"iam:ListGroupsForUser",
"iam:GetUserPolicy",
"iam:ListUserPolicies"
],
"Resource": ["arn:aws:iam::637632706532:user/${aws:username}"]
},
{
"Sid": "AllowDLTSupportUserToViewDLTGroupPolicy",
"Effect": "Allow",
"Action": [
"iam:GetGroupPolicy",
"iam:ListGroupPolicies"
],
"Resource": ["arn:aws:iam::637632706532:group/DLT-support"]
},
{
"Sid": "AllowUsersToSeeStatsOnIAMConsoleDashboard",
"Effect": "Allow",
"Action": [
"iam:GetAccount*",
"iam:ListAccount*",
"iam:GetAccountPasswordPolicy"
],
"Resource": ["*"]
},
{
"Sid": "AllowUsersToListUsersInConsole",
"Effect": "Allow",
"Action": ["iam:ListUsers"],
"Resource": ["arn:aws:iam::637632706532:user/*"]
},
{
"Sid": "AllowUsersToCreateDeleteTheirOwnVirtualMFADevices",
"Effect": "Allow",
"Action": ["iam:*VirtualMFADevice"],
"Resource": ["arn:aws:iam::637632706532:mfa/${aws:username}"]
},
{
"Sid": "AllowUsersToEnableSyncDisableTheirOwnMFADevices",
"Effect": "Allow",
"Action": [
"iam:DeactivateMFADevice",
"iam:EnableMFADevice",
"iam:ListMFADevices",
"iam:ResyncMFADevice"
],
"Resource": ["arn:aws:iam::637632706532:user/${aws:username}"]
},
{
"Sid": "AllowUsersToListVirtualMFADevices",
"Effect": "Allow",
"Action": ["iam:ListVirtualMFADevices"],
"Resource": ["arn:aws:iam::637632706532:mfa/*"]
}
]
}

 

 

DLT-Auditor:

This IAM User is used at the Payer account level to ensure account compliance with AWS and DLT agreements. The AWS-Auditor account is only used by the internal DLT analysts and auditors.nd auditors.


DLT-Auditor Policy:

The following security policy is attached to DLT-Auditor and provided for your awareness.

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RIMarketplace",
"Effect": "Allow",
"Action": [
"ec2:CreateReservedInstancesListing",
"ec2:PurchaseReservedInstancesOffering",
"aws-marketplace:*",
"ec2:AcceptReservedInstancesExchangeQuote",
"aws-marketplace-management:*",
"ec2:CancelReservedInstancesListing",
"ec2:ModifyReservedInstances"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"support:*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:ChangePassword"
],
"Resource": [
"arn:aws:iam::*:user/${aws:username}"
]
},
{
"Effect": "Allow",
"Action": [
"iam:GetAccountPasswordPolicy"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"aws-portal:*Billing",
"awsbillingconsole:*Billing",
"aws-portal:*Usage",
"awsbillingconsole:*Usage",
"aws-portal:*PaymentMethods",
"awsbillingconsole:*PaymentMethods",
"budgets:ViewBudget",
"budgets:ModifyBudget",
"cur:*"
],
"Resource": "*"
}
]
}

 


Purpose of CloudCheckr:

This IAM Role is used at the Payer account level to provide access to the DLT billing tool, CloudCheckr. This IAM acccount is only used by the CloudCheckr billing tool. To learn more about customer access to this tool, please visit this link.


CloudCheckr Policy:

The following security policy is attached to CloudCheckr and provided for your awareness.

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "FullPolicy",
"Action": [
"acm:DescribeCertificate",
"acm:ListCertificates",
"acm:GetCertificate",
"autoscaling:Describe*",
"cloudformation:DescribeStacks",
"cloudformation:GetStackPolicy",
"cloudformation:GetTemplate",
"cloudformation:ListStackResources",
"cloudfront:List*",
"cloudfront:GetDistributionConfig",
"cloudfront:GetStreamingDistributionConfig",
"cloudhsm:Describe*",
"cloudhsm:List*",
"cloudsearch:Describe*",
"cloudtrail:DescribeTrails",
"cloudtrail:GetTrailStatus",
"cloudwatch:DescribeAlarms",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics",
"cognito-idp:List*",
"cognito-idp:Describe*",
"config:DescribeConfigRules",
"config:GetComplianceDetailsByConfigRule",
"config:Describe*",
"datapipeline:ListPipelines",
"datapipeline:GetPipelineDefinition",
"datapipeline:DescribePipelines",
"directconnect:DescribeLocations",
"directconnect:DescribeConnections",
"directconnect:DescribeVirtualInterfaces",
"dynamodb:ListTables",
"dynamodb:DescribeTable",
"dynamodb:ListTagsOfResource",
"ec2:Describe*",
"ec2:GetConsoleOutput",
"ecs:ListClusters",
"ecs:DescribeClusters",
"ecs:ListContainerInstances",
"ecs:DescribeContainerInstances",
"ecs:ListServices",
"ecs:DescribeServices",
"ecs:ListTaskDefinitions",
"ecs:DescribeTaskDefinition",
"ecs:ListTasks",
"ecs:DescribeTasks",
"elasticache:Describe*",
"elasticache:ListTagsForResource",
"elasticbeanstalk:Describe*",
"elasticfilesystem:Describe*",
"elasticloadbalancing:Describe*",
"elasticmapreduce:Describe*",
"elasticmapreduce:ListSteps",
"elasticmapreduce:ListInstanceGroups",
"elasticmapreduce:ListBootstrapActions",
"elasticmapreduce:ListClusters",
"elasticmapreduce:ListInstances",
"es:ListDomainNames",
"es:DescribeElasticsearchDomains",
"glacier:List*",
"glacier:DescribeVault",
"glacier:GetVaultNotifications",
"glacier:DescribeJob",
"glacier:GetJobOutput",
"iam:Get*",
"iam:List*",
"iam:GenerateCredentialReport",
"iot:DescribeThing",
"iot:ListThings",
"iam:GenerateCredentialReport",
"kinesis:ListStreams",
"kinesis:DescribeStream",
"kinesis:GetShardIterator",
"kinesis:GetRecords",
"kms:Describe*",
"kms:Get*",
"kms:List*",
"lambda:ListFunctions",
"lambda:ListTags",
"rds:Describe*",
"rds:ListTagsForResource",
"redshift:Describe*",
"redshift:ViewQueriesInConsole",
"route53:ListHealthChecks",
"route53:ListHostedZones",
"route53:ListResourceRecordSets",
"s3:GetBucketACL",
"s3:GetBucketLocation",
"s3:GetBucketLogging",
"s3:GetBucketPolicy",
"s3:GetBucketTagging",
"s3:GetBucketWebsite",
"s3:GetBucketNotification",
"s3:GetLifecycleConfiguration",
"s3:List*",
"ses:ListIdentities",
"ses:GetSendStatistics",
"ses:GetIdentityDkimAttributes",
"ses:GetIdentityVerificationAttributes",
"ses:GetSendQuota",
"sdb:ListDomains",
"sdb:DomainMetadata",
"support:Describe*",
"swf:ListClosedWorkflowExecutions",
"swf:ListDomains",
"swf:ListActivityTypes",
"swf:ListWorkflowTypes",
"sns:GetTopicAttributes",
"sns:GetSubscriptionAttributes",
"sns:ListTopics",
"sns:ListSubscriptionsByTopic",
"ssm:List*",
"sqs:ListQueues",
"sqs:GetQueueAttributes",
"storagegateway:Describe*",
"storagegateway:List*",
"workspaces:DescribeWorkspaceDirectories",
"workspaces:DescribeWorkspaceBundles",
"workspaces:DescribeWorkspaces",
"Organizations:List*",
"Organizations:Describe*"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Sid": "CloudWatchLogsSpecific",
"Effect": "Allow",
"Action": [
"logs:GetLogEvents",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams"
],
"Resource": [
"arn:aws:logs:*:*:*"
]
}
]
}

 

 

Was this article helpful?
1 out of 1 found this helpful
Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.
Powered by Zendesk