Follow

AWS Account Access Overview

This article describes the types of account access for customers and DLT to achieve their AWS goals. These policies will change over time, to match the capabilities of the platform as well as the needs of our customers.

There are currently five default IAM entities:

  1. OrgAdmin - Used by customers for AWS Organizations administration.
  2. AWS-PA - Used by DLT Project Accounting team to facilitate monthly billing.
  3. DLT-Ops - Used by the DLT's Confirmed Stateside Support staff for providing technical support and inviting accounts to an AWS Organization.
  4. DLT-Auditor - Utilized by DLT auditors and analysts.
  5. CloudCheckr - Provides access to DLT's billing and utilization tool. 
  6. DLT-CloudOps - Administrative access provisioned in DLT-Managed accounts.

 

Purpose of OrgAdmin:

This IAM role allows customers to perform administration of their AWS Organization and related services at the Organization Account level.  The OrgAdmin IAM account is provided for end-users who are designated during the onboarding process.

OrgAdmin Policy: 

The following security policy is provided for your awareness.

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "GeneralAllowList",
"Effect": "Allow",
"Action": [
"ds:*",
"sso:*",
"sso-directory:*",
"cloudtrail:*",
"servicequotas:*",
"license-manager:*",
"config:*",
"ram:*",
"servicecatalog:*",
"fms:*",
"sns:GetTopicAttributes",
"organizations:DescribeOrganization",
"organizations:ListAWSServiceAccessForOrganization",
"organizations:DescribeAccount",
"iam:GetRole",
"iam:CreateServiceLinkedRole",
"cloudwatch:*",
"events:*",
"logs:*",
"sns:ListTopics",
"SNS:SetTopicAttributes",
"lambda:ListFunctions",
"waf-regional:*",
"iam:ListRoles"
],
"Resource": "*"
},
{
"Sid": "SSORestriction",
"Effect": "Deny",
"Action": "sso:PutPermissionsPolicy",
"Resource": "*"
},
{
"Sid": "AllowViewAccountInfo",
"Effect": "Allow",
"Action": [
"iam:GetAccountPasswordPolicy",
"iam:GetAccountSummary",
"iam:ListVirtualMFADevices"
],
"Resource": "*"
},
{
"Sid": "AllowManageOwnPasswords",
"Effect": "Allow",
"Action": [
"iam:ChangePassword",
"iam:GetUser"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnAccessKeys",
"Effect": "Allow",
"Action": [
"iam:CreateAccessKey",
"iam:DeleteAccessKey",
"iam:ListAccessKeys",
"iam:UpdateAccessKey"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnSigningCertificates",
"Effect": "Allow",
"Action": [
"iam:DeleteSigningCertificate",
"iam:ListSigningCertificates",
"iam:UpdateSigningCertificate",
"iam:UploadSigningCertificate"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnSSHPublicKeys",
"Effect": "Allow",
"Action": [
"iam:DeleteSSHPublicKey",
"iam:GetSSHPublicKey",
"iam:ListSSHPublicKeys",
"iam:UpdateSSHPublicKey",
"iam:UploadSSHPublicKey"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnGitCredentials",
"Effect": "Allow",
"Action": [
"iam:CreateServiceSpecificCredential",
"iam:DeleteServiceSpecificCredential",
"iam:ListServiceSpecificCredentials",
"iam:ResetServiceSpecificCredential",
"iam:UpdateServiceSpecificCredential"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnVirtualMFADevice",
"Effect": "Allow",
"Action": [
"iam:CreateVirtualMFADevice",
"iam:DeleteVirtualMFADevice"
],
"Resource": "arn:aws:iam::*:mfa/${aws:username}"
},
{
"Sid": "AllowManageOwnUserMFA",
"Effect": "Allow",
"Action": [
"iam:DeactivateMFADevice",
"iam:EnableMFADevice",
"iam:ListMFADevices",
"iam:ResyncMFADevice"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AWSOrg",
"Effect": "Allow",
"Action": "organizations:*",
"Resource": "*"
},
{
"Sid": "S3Billingbucket",
"Effect": "Deny",
"Action": "s3:*",
"Resource": "arn:aws:s3:::*-dlt-billing"
},
{
"Sid": "S3Allow",
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
},
{
"Sid": "AWSConfig",
"Effect": "Allow",
"Action": [
"iam:PassRole",
"config:PutConfigRule",
"ssm:ListDocuments"
],
"Resource": "*"
},
{
"Sid": "DirectoryService",
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:DeleteTags",
"ec2:CreateTags",
"ec2:DeleteNetworkInterface",
"ec2:DescribeSecurityGroups",
"ec2:RevokeSecurityGroupIngress",
"ec2:CreateNetworkInterface",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeVpcs",
"ec2:CreateSecurityGroup",
"ec2:RevokeSecurityGroupEgress",
"ec2:DeleteSecurityGroup",
"ec2:DescribeSubnets"
],
"Resource": "*"
},
{
"Sid": "ServiceCatalogAdmin",
"Effect": "Allow",
"Action": [
"cloudformation:CreateStack",
"cloudformation:DeleteStack",
"cloudformation:DescribeStackEvents",
"cloudformation:DescribeStacks",
"cloudformation:SetStackPolicy",
"cloudformation:UpdateStack",
"cloudformation:CreateChangeSet",
"cloudformation:DescribeChangeSet",
"cloudformation:ExecuteChangeSet",
"cloudformation:ListChangeSets",
"cloudformation:DeleteChangeSet",
"cloudformation:ListStackResources",
"cloudformation:TagResource",
"cloudformation:CreateStackSet",
"cloudformation:CreateStackInstances",
"cloudformation:UpdateStackSet",
"cloudformation:UpdateStackInstances",
"cloudformation:DeleteStackSet",
"cloudformation:DeleteStackInstances",
"cloudformation:DescribeStackSet",
"cloudformation:DescribeStackInstance",
"cloudformation:DescribeStackSetOperation",
"cloudformation:ListStackInstances",
"cloudformation:ListStackSetOperations",
"cloudformation:ListStackSetOperationResults"
],
"Resource": [
"arn:aws:cloudformation:*:*:stack/SC-*",
"arn:aws:cloudformation:*:*:stack/StackSet-SC-*",
"arn:aws:cloudformation:*:*:changeSet/SC-*",
"arn:aws:cloudformation:*:*:stackset/SC-*"
]
},
{
"Effect": "Allow",
"Action": [
"cloudformation:CreateUploadBucket",
"cloudformation:GetTemplateSummary",
"cloudformation:ValidateTemplate",
"iam:GetGroup",
"iam:GetRole",
"iam:GetUser",
"iam:ListGroups",
"iam:ListRoles",
"iam:ListUsers",
"servicecatalog:*",
"ssm:DescribeDocument",
"ssm:GetAutomationExecution",
"ssm:ListDocuments",
"ssm:ListDocumentVersions",
"config:DescribeConfigurationRecorders",
"config:DescribeConfigurationRecorderStatus"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:PassedToService": "servicecatalog.amazonaws.com"
}
}
}
]
}

 

 

Purpose of AWS-PA:

This IAM role is used at the Master Account level to process monthly billing for customers. The AWS-PA IAM role is only used by the DLT Project Accounting team.


AWS-PA Policy:

The following security policy is attached to AWS-PA and provided for your awareness.

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowViewAccountInfo",
"Effect": "Allow",
"Action": [
"iam:GetAccountPasswordPolicy",
"iam:GetAccountSummary",
"iam:ListVirtualMFADevices"
],
"Resource": "*"
},
{
"Sid": "AllowManageOwnPasswords",
"Effect": "Allow",
"Action": [
"iam:ChangePassword",
"iam:GetUser"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnAccessKeys",
"Effect": "Allow",
"Action": [
"iam:CreateAccessKey",
"iam:DeleteAccessKey",
"iam:ListAccessKeys",
"iam:UpdateAccessKey"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnSigningCertificates",
"Effect": "Allow",
"Action": [
"iam:DeleteSigningCertificate",
"iam:ListSigningCertificates",
"iam:UpdateSigningCertificate",
"iam:UploadSigningCertificate"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnSSHPublicKeys",
"Effect": "Allow",
"Action": [
"iam:DeleteSSHPublicKey",
"iam:GetSSHPublicKey",
"iam:ListSSHPublicKeys",
"iam:UpdateSSHPublicKey",
"iam:UploadSSHPublicKey"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnGitCredentials",
"Effect": "Allow",
"Action": [
"iam:CreateServiceSpecificCredential",
"iam:DeleteServiceSpecificCredential",
"iam:ListServiceSpecificCredentials",
"iam:ResetServiceSpecificCredential",
"iam:UpdateServiceSpecificCredential"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnVirtualMFADevice",
"Effect": "Allow",
"Action": [
"iam:CreateVirtualMFADevice",
"iam:DeleteVirtualMFADevice"
],
"Resource": "arn:aws:iam::*:mfa/${aws:username}"
},
{
"Sid": "AllowManageOwnUserMFA",
"Effect": "Allow",
"Action": [
"iam:DeactivateMFADevice",
"iam:EnableMFADevice",
"iam:ListMFADevices",
"iam:ResyncMFADevice"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "DenyAllExceptListedIfNoMFA",
"Effect": "Deny",
"NotAction": [
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:GetUser",
"iam:ListMFADevices",
"iam:ListVirtualMFADevices",
"iam:ResyncMFADevice",
"sts:GetSessionToken"
],
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
}
},
{
"Sid": "AWSOrganizationsReadOnlyAccess",
"Effect": "Allow",
"Action": [
"organizations:Describe*",
"organizations:List*"
],
"Resource": "*"
},
{
"Sid": "AWSSupportAccess",
"Effect": "Allow",
"Action": [
"support:*"
],
"Resource": "*"
},
{
"Sid": "Billing",
"Effect": "Allow",
"Action": [
"aws-portal:*Billing",
"awsbillingconsole:*Billing",
"aws-portal:*Usage",
"awsbillingconsole:*Usage",
"aws-portal:*PaymentMethods",
"awsbillingconsole:*PaymentMethods",
"budgets:ViewBudget",
"budgets:ModifyBudget",
"cur:*"
],
"Resource": "*"
},
{
"Sid": "ListBuckets",
"Effect": "Allow",
"Action": [
"s3:PutAccountPublicAccessBlock",
"s3:GetAccountPublicAccessBlock",
"s3:ListAllMyBuckets",
"s3:ListJobs",
"s3:CreateJob",
"s3:HeadBucket"
],
"Resource": "*"
},
{
"Sid": "AllowAllDLTBillingBucket",
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::*-dlt-billing"
}
]
}

 

 

Purpose of DLT-Ops:

This IAM role is used at the Master Account level to provide operational support during the life of the AWS contract. Activities include the collaboration of Confirmed Stateside Support troubleshooting, limit increases, and other related technical assistance. This IAM role is only used by DLT Confirmed Stateside Support staff.

DLT-Ops Policy:

The following security policy is attached to DLT-Ops and provided for your awareness.

{
"Statement": [
{
"Action": "support:*",
"Effect": "Allow",
"Resource": "*",
"Sid": "AllowDLTSupportToAccessAWSSupportServices"
},
{
"Sid": "Stmt1488996114685",
"Action": [
"organizations:InviteAccountToOrganization",
"organizations:List*",
"organizations:Describe*",
"organizations:CancelHandshake"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"iam:*LoginProfile",
"iam:*AccessKey*",
"iam:*SigningCertificate*",
"iam:ChangePassword",
"iam:ListGroupsForUser",
"iam:GetUserPolicy",
"iam:ListUserPolicies"
],
"Effect": "Allow",
"Resource": [
"arn:aws:iam::*:user/${aws:username}"
],
"Sid": "AllowUsersAllActionsForCredentials"
},
{
"Action": [
"iam:GetGroupPolicy",
"iam:ListGroupPolicies"
],
"Effect": "Allow",
"Resource": [
"arn:aws:iam::*:group/DLT-support"
],
"Sid": "AllowDLTSupportUserToViewDLTGroupPolicy"
},
{
"Action": [
"iam:GetAccount*",
"iam:ListAccount*",
"iam:GetAccountPasswordPolicy"
],
"Effect": "Allow",
"Resource": [
"*"
],
"Sid": "AllowUsersToSeeStatsOnIAMConsoleDashboard"
},
{
"Action": [
"iam:ListUsers"
],
"Effect": "Allow",
"Resource": [
"arn:aws:iam::*:user/*"
],
"Sid": "AllowUsersToListUsersInConsole"
},
{
"Action": [
"iam:*VirtualMFADevice"
],
"Effect": "Allow",
"Resource": [
"arn:aws:iam::*:mfa/${aws:username}"
],
"Sid": "AllowUsersToCreateDeleteTheirOwnVirtualMFADevices"
},
{
"Action": [
"iam:DeactivateMFADevice",
"iam:EnableMFADevice",
"iam:ListMFADevices",
"iam:ResyncMFADevice"
],
"Effect": "Allow",
"Resource": [
"arn:aws:iam::*:user/${aws:username}"
],
"Sid": "AllowUsersToEnableSyncDisableTheirOwnMFADevices"
},
{
"Action": [
"iam:ListVirtualMFADevices"
],
"Effect": "Allow",
"Resource": [
"arn:aws:iam::*:mfa/*"
],
"Sid": "AllowUsersToListVirtualMFADevices"
}
],
"Version": "2012-10-17"
}

 

 

DLT-Audit:

This IAM role is used at the Master Account level to ensure account compliance with AWS and DLT agreements. The AWS-Auditor account is only used by the DLT analysts and auditors.


DLT-Audit Policy:

The following security policy is attached to DLT-Audit and provided for your awareness.

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RIMarketplace",
"Effect": "Allow",
"Action": [
"ec2:CreateReservedInstancesListing",
"ec2:PurchaseReservedInstancesOffering",
"aws-marketplace:*",
"ec2:AcceptReservedInstancesExchangeQuote",
"aws-marketplace-management:*",
"ec2:CancelReservedInstancesListing",
"ec2:ModifyReservedInstances"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"support:*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:ChangePassword"
],
"Resource": [
"arn:aws:iam::*:user/${aws:username}"
]
},
{
"Effect": "Allow",
"Action": [
"iam:GetAccountPasswordPolicy"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"aws-portal:*Billing",
"awsbillingconsole:*Billing",
"aws-portal:*Usage",
"awsbillingconsole:*Usage",
"aws-portal:*PaymentMethods",
"awsbillingconsole:*PaymentMethods",
"budgets:ViewBudget",
"budgets:ModifyBudget",
"cur:*"
],
"Resource": "*"
}
]
}

 


Purpose of CloudCheckr:

This IAM role is used at the Master Account level to provide access to the DLT billing tool, CloudCheckr. This IAM role is only used by the CloudCheckr billing tool. To learn more about customer access to this tool, please visit this link.


CloudCheckr Policy:

The following security policy is attached to CloudCheckr and provided for your awareness.

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "FullPolicy",
"Action": [
"acm:DescribeCertificate",
"acm:ListCertificates",
"acm:GetCertificate",
"autoscaling:Describe*",
"cloudformation:DescribeStacks",
"cloudformation:GetStackPolicy",
"cloudformation:GetTemplate",
"cloudformation:ListStackResources",
"cloudfront:List*",
"cloudfront:GetDistributionConfig",
"cloudfront:GetStreamingDistributionConfig",
"cloudhsm:Describe*",
"cloudhsm:List*",
"cloudsearch:Describe*",
"cloudtrail:DescribeTrails",
"cloudtrail:GetTrailStatus",
"cloudwatch:DescribeAlarms",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics",
"cognito-idp:List*",
"cognito-idp:Describe*",
"config:DescribeConfigRules",
"config:GetComplianceDetailsByConfigRule",
"config:Describe*",
"datapipeline:ListPipelines",
"datapipeline:GetPipelineDefinition",
"datapipeline:DescribePipelines",
"directconnect:DescribeLocations",
"directconnect:DescribeConnections",
"directconnect:DescribeVirtualInterfaces",
"dynamodb:ListTables",
"dynamodb:DescribeTable",
"dynamodb:ListTagsOfResource",
"ec2:Describe*",
"ec2:GetConsoleOutput",
"ecs:ListClusters",
"ecs:DescribeClusters",
"ecs:ListContainerInstances",
"ecs:DescribeContainerInstances",
"ecs:ListServices",
"ecs:DescribeServices",
"ecs:ListTaskDefinitions",
"ecs:DescribeTaskDefinition",
"ecs:ListTasks",
"ecs:DescribeTasks",
"elasticache:Describe*",
"elasticache:ListTagsForResource",
"elasticbeanstalk:Describe*",
"elasticfilesystem:Describe*",
"elasticloadbalancing:Describe*",
"elasticmapreduce:Describe*",
"elasticmapreduce:ListSteps",
"elasticmapreduce:ListInstanceGroups",
"elasticmapreduce:ListBootstrapActions",
"elasticmapreduce:ListClusters",
"elasticmapreduce:ListInstances",
"es:ListDomainNames",
"es:DescribeElasticsearchDomains",
"glacier:List*",
"glacier:DescribeVault",
"glacier:GetVaultNotifications",
"glacier:DescribeJob",
"glacier:GetJobOutput",
"iam:Get*",
"iam:List*",
"iam:GenerateCredentialReport",
"iot:DescribeThing",
"iot:ListThings",
"iam:GenerateCredentialReport",
"kinesis:ListStreams",
"kinesis:DescribeStream",
"kinesis:GetShardIterator",
"kinesis:GetRecords",
"kms:Describe*",
"kms:Get*",
"kms:List*",
"lambda:ListFunctions",
"lambda:ListTags",
"rds:Describe*",
"rds:ListTagsForResource",
"redshift:Describe*",
"redshift:ViewQueriesInConsole",
"route53:ListHealthChecks",
"route53:ListHostedZones",
"route53:ListResourceRecordSets",
"s3:GetBucketACL",
"s3:GetBucketLocation",
"s3:GetBucketLogging",
"s3:GetBucketPolicy",
"s3:GetBucketTagging",
"s3:GetBucketWebsite",
"s3:GetBucketNotification",
"s3:GetLifecycleConfiguration",
"s3:List*",
"ses:ListIdentities",
"ses:GetSendStatistics",
"ses:GetIdentityDkimAttributes",
"ses:GetIdentityVerificationAttributes",
"ses:GetSendQuota",
"sdb:ListDomains",
"sdb:DomainMetadata",
"support:Describe*",
"swf:ListClosedWorkflowExecutions",
"swf:ListDomains",
"swf:ListActivityTypes",
"swf:ListWorkflowTypes",
"sns:GetTopicAttributes",
"sns:GetSubscriptionAttributes",
"sns:ListTopics",
"sns:ListSubscriptionsByTopic",
"ssm:List*",
"sqs:ListQueues",
"sqs:GetQueueAttributes",
"storagegateway:Describe*",
"storagegateway:List*",
"workspaces:DescribeWorkspaceDirectories",
"workspaces:DescribeWorkspaceBundles",
"workspaces:DescribeWorkspaces",
"Organizations:List*",
"Organizations:Describe*"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Sid": "CloudWatchLogsSpecific",
"Effect": "Allow",
"Action": [
"logs:GetLogEvents",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams"
],
"Resource": [
"arn:aws:logs:*:*:*"
]
}
]
}

 

Purpose of DLT-CloudOps-Role:

Administrative access provisioned in DLT-Managed accounts. Used to leverage Governance as Code at Scale.

DLT-CloudOps policy:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
Was this article helpful?
1 out of 1 found this helpful
Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.
Powered by Zendesk