Set Up Team Development Environment Access Controls

In this step your Security and Cloud Administrators will provision resources to control the access to team development AWS accounts.

This step should take about 20 minutes to complete.

Automated provisioning of resources: In the next several steps you’ll use a mix of manual steps and automation to provision a set of policies to set up access controls for builder teams’ use of team development environments. Although these approaches may be suitable for your initial iteration of your AWS environment, a more advanced and effective means of provisioning these resources would be to manage the polcies in a source repository and use a continuous delivery (CD) pipeline to automatically detect changes to the policy source, validate the changes, and provision the changes to your environment. Customizations for AWS Control Tower is an AWS solution that uses AWS services including AWS CodePipeline and AWS Control Tower Lifecycle Events to help you more efficiently manage these types of resources as code and via pipelines. Both the SCPs and IAM permissions boundary policy resources addressed below are candidates for using this automation solution.

1. Apply Service Control Policies (SCPs) to development OU

Using AWS Organizations, create several Service Control Policies (SCPs) that will initially be applied to the development OU. When applied to the development OU, these SCPs will disallow any user including builder team members and foundation team members from creating and modifying foundation VPC networking resources in team development AWS accounts.

Service Control Policies (SCPs): If you’d like to learn more about SCPs, see Managing AWS Organizations policies.

Ability for foundation team builders to create and modify VPC resources: Typically, builders in your foundation team will need to have write acess to VPC resources in their team development accounts so that they can experiment, develop, and perform early forms of testing of VPC related foundational changes. You have several options for enabling foundation team builders to have such access: 1) You could create a new “development-foundation” or similar OU that does not have the SCP described here and create foundation team development AWS accounts under that OU or 2) you could continue to use the common SCP, establish a distinct persmission set for your foundation team development access that has the same policy as other teams, and enhance the SCP to include a condition to exclude the foundation team’s team development IAM role associated with the permission set. In either case, see Controlling Builder Team Access for a more detailed explanation of these options.

Review the sample team development access controls: See Controlling Builder Team Access for a detailed explanation of the requirements and sample implementation of how you can provide freedom to your builder teams in their team development AWS accounts, but inhibit them from adversely impacting the security of your overall AWS environment.

Create the SCPs

Either open in a separate browser tab or download to your desktop the following sample SCPs:

  1. As a Cloud Administrator, use your personal user to log into AWS SSO.
  2. Select the AWS master account.
  3. Select Management console associated with the AWSAdministratorAccess role.
  4. Select the appropriate AWS region.
  5. Navigate to AWS Organizations.
  6. Select Policies.
  7. Select Service control policies
  8. Select Create policy.
  9. Create a new SCP:
    • Policy name: example-base-scp-vpc-core
    • Description: “Deny creation of and changes to core VPC resources”
    • Policy: Copy the content of the sample policy.
  10. Repeat steps 8-9 in order to create the secon SCP:
    • Policy name: example-base-scp-vpc-boundaries
    • Description: “Deny creation of and changes to boundary VPC resources”
    • Policy: Copy the content of the sample policy.

Apply the SCPs to the development OU

  1. Select Organize accounts.
  2. In the Organization tree on the left, select the development OU.
  3. On the right side of the console, select Service control policies.
  4. On the right side of the console, select the Attach link next to the SCPs
    • example-base-scp-vpc-core
    • example-base-scp-vpc-boundaries

2. Distribute Permissions Boundary to Development OU

In this step you’ll use AWS CloudFormation StackSets to distribute an IAM permissions boundary policy to the “development” OU that you just created. This boundary policy will help ensure that builder teams using team development AWS accounts can’t modify your foundation cloud resources.

In a later section, when you create several team development AWS accounts, you will associate the AWS accounts with the “development” OU. Any AWS account that is added to that OU will automatically be configured with the IAM permissions boundary policy resource. Similarly, when an AWS account is removed from the OU, the IAM permissions boundary policy resource will be automatically removed from the AWS account.

Enable Trusted Access in AWS Organizations

First, enable the AWS CloudFormation service to automatically configure permissions required to use the CloudFormation StackSets feature to deploy stacks to AWS accounts in your AWS organization.

  1. Navigate to AWS CloudFormation.
  2. Select StackSets.
  3. Select Enable trusted access.

This is a one time operation: If you’d like more background, see Enabling Trusted Access with AWS Organizations.

Download AWS CloudFormation Template

Next, download the sample AWS CloudFormation template example-base-team-dev-boundary.yml to your desktop.

Deploy Permissions Boundary as a StackSet

Create a StackSet to deploy the permissions boundary policy to all AWS accounts associated with the “development” OU.

  1. Select Create StackSet.
  2. Select Upload a template file.
  3. Select Choose file to select the downloaded template file from your desktop.
  4. Select Next.
  5. Enter a StackSet name. For example, example-base-team-dev-boundary.

It’s useful to prefix your custom cloud resources that live in a larger name space with your organization identifier and a qualifier such as base to represent foundation resources. The important consideration is to be consistent with naming of foundation cloud resources so that you can apply IAM policies that will inhibit unauthorized modification of those resources.

  1. In Parameters:
Parameter Guidance
pOrg Replace example with your organization identifier or stock ticker if that applies. This value is used as a prefix in the name of IAM managed policy that is created by the template.

Leave the other parameters at their default settings.

  1. Select Next.
  2. Leave the Permissions set to Service managed permissions.
  3. Select Next.
  4. In Deployment targets, select Deploy to organizational units (OUs).
  5. Enter the OU ID of the “development” OU that you created in the previous step.
  6. In Specify regions, select your home AWS region.
  7. Select Next.
  8. Scrolls to the bottom and mark the checkbox to acknowledge that IAM resources will be created.
  9. Select Submit.

Since you have not yet created the team development AWS accounts, this CloudFormation StackSet won’t create CloudFormation stacks in the team development AWS accounts until those AWS accounts are created in a subsequent section.

Proceed to the next step.

3. Create Team Development Permission Set in AWS SSO

Next, you’ll create a custom permission set in AWS SSO to represent the initial iteration of an AWS IAM policy under which builder team members will work in their team development AWS accounts.

Download and Customize Sample IAM Policy

  1. Download the sample policy example-base-team-dev-saml.json to your desktop.
  2. Open the file and replace all occurrences of example with a reference to your own organization’s identifier.

Create Permission Set in AWS SSO

  1. Access AWS accounts in AWS SSO.
  2. Select Permission sets.
  3. Select Create permission set.
  4. Select Create a custom permission set.
  5. Enter a Name. For example example-base-team-dev.
  6. Enter a Description. For example, Day-to-day permission used by builders in their team development AWS accounts..
  7. Set the Session duration to the desired value.
  8. Select the checkbox Create a custom permissions policy.
  9. Open the sample policy file that you just customized in a text editor, copy, and paste the content.
  10. Select Create.

Later, when you onboard the builder teams to their team development AWS accounts, you’ll reference this permission set.