Consider a person coming to this project to try to "grok" the huge myriad of services, tools, concepts, etc. that is CF and all its friends. This person may not have any experience with things like IAM with AWS, so we need to explain in much more detail:
What kind of user do I create?
What sort of settings will I have to supply for the user in question when I create it? (Other than "name")
How do I associate my IAM user that I just created with my actual AWS account? Or...do even need to?
What if I don't have any IAM configuration - no users, no groups, nothing - in AWS?
Let's say a user set up a fresh account with Amazon to try this out (for whatever reason). They have no IAM groups, so telling them "add the new user to a group" is totally useless. First, they have to create a group; several questions come to mind there:
What kind of group do I create?
What policy do I "apply" to that group?
Do I have to have some form of "superuser" policy or access level for the group?
Are there any restrictions on naming the group? Will anything be applying a "convention over configuration" approach to the name, acting differently if I do or don't include some magic key word, suffix, [brackets] or something?
What information do I need to create the group? Just the name, or do I have to provide other information (e.g. integration/configuration data from somewhere else, etc.)?
What if my organization already has IAM users, groups, and policies set up? What specific policy/policies or set of permissions do I need to run this code as intended?
Internally I was told when first reviewing this project to set up a "PowerUser" group with a policy allowing quite a wide array of permissions within AWS. Some organizations won't be comfortable with that and in fact may not be able to allow that for reasons of law, compliance requirements, auditors, etc.. So how do you create your IAM user and IAM group, or associate an existing user, group and policy, such that you're not grabbing ALL the privileges, but just the bare minimum you need to run this?
And finally... is there any way to segregate the user, group and/or policy such that this user cannot make any changes to existing AWS resources, nor can they even read existing resources? Think about "containment" in the event you have to create a superuser group and the key ID and secret somehow get divulged to "the bad guys"; if that happens, how do we prevent it from impacting our other AWS stuff?
Consider a person coming to this project to try to "grok" the huge myriad of services, tools, concepts, etc. that is CF and all its friends. This person may not have any experience with things like IAM with AWS, so we need to explain in much more detail:
What if I don't have any IAM configuration - no users, no groups, nothing - in AWS?
Let's say a user set up a fresh account with Amazon to try this out (for whatever reason). They have no IAM groups, so telling them "add the new user to a group" is totally useless. First, they have to create a group; several questions come to mind there:
[brackets]or something?What if my organization already has IAM users, groups, and policies set up? What specific policy/policies or set of permissions do I need to run this code as intended?
Internally I was told when first reviewing this project to set up a "PowerUser" group with a policy allowing quite a wide array of permissions within AWS. Some organizations won't be comfortable with that and in fact may not be able to allow that for reasons of law, compliance requirements, auditors, etc.. So how do you create your IAM user and IAM group, or associate an existing user, group and policy, such that you're not grabbing ALL the privileges, but just the bare minimum you need to run this?
And finally... is there any way to segregate the user, group and/or policy such that this user cannot make any changes to existing AWS resources, nor can they even read existing resources? Think about "containment" in the event you have to create a superuser group and the key ID and secret somehow get divulged to "the bad guys"; if that happens, how do we prevent it from impacting our other AWS stuff?