search

ministryofjustice / modernisation-platform

A place for the core work of the Modernisation Platform • This repository is defined and managed in Terraform
https://user-guide.modernisation-platform.service.justice.gov.uk
MIT License
683 stars 291 forks source link

Create SSO group to allow customers to administer AWS Managed Microsoft Active Directory #5809

Closed dms1981 closed 9 months ago

dms1981 commented 10 months ago

User Story

As a Modernisation Platform Customer I expect to have an SSO role for Domain Administration So that I can conduct AD administration tasks in the core-shared-services account

Value / Purpose

If/when we deploy AWS Managed Microsoft Active Directory in the core-shared-services repository we will need to grant users access to these deployments. I think this is best done through the creation of an SSO group that can be assigned to a later-to-be-defined GitHub Team (or pre-existing GitHub team.

Useful Contacts

@dms1981

Additional Information

The SSO group will need to be created in the aws-root-account/management-account/terraform/sso-permission-sets.tf. If pre-defined AWS policies are not appropriate then we will need to define this in code in the modernisation-platform account. This group ought to be referenced in the modernisation-platform/environments/core-shared-services.json and created through the single-sign-on job as part of the Terraform: Scheduled baseline.

https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_managed_policies.html

Proposal / Unknowns

Can this be refined so that users only get access to a selected set of resources? For example, if our policy defines access to any AWS Managed Microsoft Active Directory deployment, can this be restricted to only deployments that match a business-unit tag so that HMPPS domain administrators can't see OPG Active Directory deployments?

Definition of Done

dms1981 commented 9 months ago

I've discussed this with @davidkelliott and I don't think this is quite relevant. It might have been, but it was very focused on AWS Managed Microsoft AD.

I think that as we're going to deploy infrastructure in core-shared-services we need a way to secure access based on further attributes like the github_team value which we'd need to pass into AWS SSO from Auth0. We could then use this to prevent cross-team access to resources in core-shared-services

"Condition": {
  "StringEquals": {
    "aws:PrincipalTag/github_team": "github_team:${ec2:ResourceTag/github-team}"
  }
}