kj4ezj
commented
1 year ago I believe this is a prerequisite to issue 5.
Closed kj4ezj closed 1 year ago
stephenpdeos
commented
1 year ago This proposal has been rejected so we are returning to an evaluation phase.
Background
As discussed in issue 5, both Amazon Web Services (AWS) best practices and Google Cloud Platform (GCP) best practices recommend that any organization distribute their cloud infrastructure among multiple accounts, to use AWS terminology. The EOS Network Foundation (ENF) is now doing this.
Problem
ENF cloud infrastructure administrators currently juggle multiple logins to access the different AWS accounts in use. While administrators of the ENF organization do retain absolute control over all accounts and resources, there is not a clear pattern for anyone to use their existing credentials to access resources in new accounts. This creates friction for internal customers as well as unnecessary complexity and opacity for administrators. Relying on humans to secure multiple sets of credentials also increases risk exposure.
Solution
The EOS Network Foundation needs to implement federated logins within our Amazon Web Services organization. We can accomplish this with our existing resources by federating our Google Workspace (Gsuite) accounts into the AWS IAM identity center as described here and here. This will empower cloud administrators to use the AWS IAM Identity Center to grant individuals and teams access to cloud resources across the organization based on need using identity and access management (IAM). This also simplifies off-boarding by implicitly revoking access to AWS resources when access to Google resources (Drive, Gmail, GCP, etc.) are revoked.
This type of user access will be portable across the organization no matter how many AWS accounts are created for different systems. One or more select organization administrators would still be required to maintain a login detached from Google to the management account, but administrators logging in using Federation would have visibility into the whole organization by default as defined by our IAM policy.