[Task]: Create User Groups for Simpler AWS Engineers

acouch commented 11 months ago

Summary

In order to implement #798 , we need to create user groups for appropriate access control in the Simpler AWS accounts. This task is to determine what those group(s) should be (admin, engineer, infra engineer?) and determine the correct level of access for each group.

This task will likely be broken off into a sub-task or separate task to implement the new group and ensure that Simpler AWS users are assigned properly.

Tasks

[ ] Define 200-400 itemized json for baseline permissions list for each roll
[ ] Define specific set of IAM self-management permissions

Acceptance criteria

[ ] Group(s) identified with a useful description or determination of the correct levels of access

acouch commented 10 months ago

Need to finish list here: https://app.gitbook.com/o/cFcvhi6d0nlLyH2VzVgn/s/v1V0jIH7mb7Yb3jlNrgk/~/changes/60/engineering/security/draft-access-control-list and send back to @jldroid19

coilysiren commented 10 months ago

I can help with creating a list of AWS services that should be in scope for each role

coilysiren commented 10 months ago

Here's a good starter list of services that the developer role should have access to:

https://github.com/navapbc/template-infra/pull/537/files#diff-1c888f9633e74e53b69af6a3133962142f66bd030bc8768b214500c9b8c1bd91

except the blanket IAM permission

coilysiren commented 10 months ago

First task: define that 200 ~ 400 itemized JSON list of baseline permissions for each role
Second task: define the specific IAM self management permissions, that need to be local to the account, as opposed to being defined in identity center
Third task: refine the itemized list of JSON baseline permissions into an actual working state

HHS / simpler-grants-gov