HHS / simpler-grants-gov

https://simpler.grants.gov
Other
44 stars 13 forks source link

[Task]: Create User Groups for Simpler AWS Engineers #799

Open acouch opened 11 months ago

acouch commented 11 months ago

Summary

In order to implement #798 , we need to create user groups for appropriate access control in the Simpler AWS accounts. This task is to determine what those group(s) should be (admin, engineer, infra engineer?) and determine the correct level of access for each group.

This task will likely be broken off into a sub-task or separate task to implement the new group and ensure that Simpler AWS users are assigned properly.

Tasks

Acceptance criteria

acouch commented 10 months ago

Need to finish list here: https://app.gitbook.com/o/cFcvhi6d0nlLyH2VzVgn/s/v1V0jIH7mb7Yb3jlNrgk/~/changes/60/engineering/security/draft-access-control-list and send back to @jldroid19

coilysiren commented 10 months ago

I can help with creating a list of AWS services that should be in scope for each role

coilysiren commented 10 months ago

Here's a good starter list of services that the developer role should have access to:

https://github.com/navapbc/template-infra/pull/537/files#diff-1c888f9633e74e53b69af6a3133962142f66bd030bc8768b214500c9b8c1bd91

except the blanket IAM permission

coilysiren commented 10 months ago
  1. First task: define that 200 ~ 400 itemized JSON list of baseline permissions for each role
  2. Second task: define the specific IAM self management permissions, that need to be local to the account, as opposed to being defined in identity center
  3. Third task: refine the itemized list of JSON baseline permissions into an actual working state