We might need a separate AWS account that runs production. This means eventually we will be running atleast 3 different AWS accounts - 5d
Come up with list of target entities - 1d
Come up wit privileges for those target entities - 1d
Come up with env based grouping of target entities and privileges - 1d
Come up with Base set of roles (Target entity + Privilege + environment => Role), includes - 2d
-- AWS console access -
-- SSH access to servers
-- AWS service access (Ec2, RDS, Cognito, S3, etc)
UserGroups will be assigned one or more Roles - 1d
Users will be a part one or more userGroups - 0d
We’ll then do staggered switch from old way of access to the new approach - 0d
Deprecate the old SSH keys and AWS credentials which grant role/user-group agnostic access - 2d
Total: 8d * 2(Ramp-up, Misc tasks, bugs/issues) = 20d => 4 weeks - High Level estimate