search

com-pas / compas-architecture

Project's architecture documentation
Creative Commons Attribution 4.0 International
9 stars 5 forks source link

Change AWS root account #170

Closed Sander3003 closed 1 year ago

Sander3003 commented 1 year ago

Create AWS IAM user for LF energy. Activities with the root IAM users are barely needed. Their are 2 options:

  1. Create an AWS root user with the e-mail address: CoMPAS-tsc@lists.lfenergy.org and ask @jmertic to put in the the LF energy secret store

Todo first: Check if this account cannot be hacked (e.g. by password reset).

Advantage: more control/power Downside: More responsibility

  1. Ask LF energy to arrange it, we barely need this account. LF energy manages access @jmertic can you create an AWS IAM account for LF energy?

Advantage: clear owner and managed by a professional organisation Downside: dependency on LF energy and their availability

@jmertic What do you prefer? @pascalwilbrink can you check the security concerns of option 1?

Sander3003 commented 1 year ago

We are currently using a personal root-account tight to a person; it would be nice to tight it to a organization (if possible).

Sander3003 commented 1 year ago

https://www.missioncloud.com/blog/aws-root-account-security-best-practices

Sander3003 commented 1 year ago

Based on some reading, I would suggest LF (energy) manages the AWS-root account and the CoMPAS team space (organisation unit?) with a group of CoMPAS admin users to deploy and manage LF energy CoMPAS demo setup. @pascalwilbrink will this work?

Root user taks are not needed to just deploy the CoMPAS demo on AWS: https://docs.aws.amazon.com/accounts/latest/reference/root-user-tasks.html

Sander3003 commented 1 year ago

@pascalwilbrink requested LF energy to go for option 2.

Sander3003 commented 1 year ago

Done