Closed dms1981 closed 9 months ago
I've discussed this with @davidkelliott and I don't think this is quite relevant. It might have been, but it was very focused on AWS Managed Microsoft AD.
I think that as we're going to deploy infrastructure in core-shared-services
we need a way to secure access based on further attributes like the github_team
value which we'd need to pass into AWS SSO from Auth0. We could then use this to prevent cross-team access to resources in core-shared-services
"Condition": {
"StringEquals": {
"aws:PrincipalTag/github_team": "github_team:${ec2:ResourceTag/github-team}"
}
}
User Story
As a Modernisation Platform Customer I expect to have an SSO role for Domain Administration So that I can conduct AD administration tasks in the core-shared-services account
Value / Purpose
If/when we deploy AWS Managed Microsoft Active Directory in the
core-shared-services
repository we will need to grant users access to these deployments. I think this is best done through the creation of an SSO group that can be assigned to a later-to-be-defined GitHub Team (or pre-existing GitHub team.Useful Contacts
@dms1981
Additional Information
The SSO group will need to be created in the
aws-root-account/management-account/terraform/sso-permission-sets.tf
. If pre-defined AWS policies are not appropriate then we will need to define this in code in themodernisation-platform
account. This group ought to be referenced in themodernisation-platform/environments/core-shared-services.json
and created through thesingle-sign-on
job as part of theTerraform: Scheduled baseline
.https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_managed_policies.html
Proposal / Unknowns
Can this be refined so that users only get access to a selected set of resources? For example, if our policy defines access to any AWS Managed Microsoft Active Directory deployment, can this be restricted to only deployments that match a
business-unit
tag so that HMPPS domain administrators can't see OPG Active Directory deployments?Definition of Done
core-shared-services.json
and tested