@@ -16,7 +16,7 @@ solutions.
1616** Global vs Hierarchical Identity Namespace**
1717
1818AWS' Identity and Access Management service provides the primitives to implement fine-grained access control to
19- +3,500 AWS service APIs and resources. However, IAM provides no real opinion on how to model and implement complex
19+ +3,500 AWS service APIs and resources. However, IAM provides no real opinion on how to model and implement complex
2020access control structures required by large organizations. The problem of ensuring Team A only has access to Team A's
2121resources within an AWS account is left to the AWS user. IAM provides a flat, global namespace and definition structure
2222within an Account for identities and policies. By contrast, GCP and Azure provide hierarchical modeling mechanisms and
7676```
7777
7878The design accommodates the wide set of people, skills, and techniques used throughout Helpful Engineering and scopes the
79- management, fault, and security domain to the project team. Using separate AWS accounts for each project team
79+ management, fault, and security domain to the project team. Using separate AWS accounts for each project team
8080creates a strong security boundary between teams that isolates each project's activities, resources, and
81- data from each other.
81+ data from each other.
8282
8383The Helpful Engineering AWS Organization OU will be configured to match the depicted hierarchy. This OU
8484structure enables use of both shared and project-specific Service Control Policy.
@@ -97,17 +97,17 @@ accounts in the landing zone.
9797** Sandbox Accounts**
9898
9999The ` he-sandbox2 ` account is a '[ sandbox] ( https://chariotsolutions.com/blog/post/building-developer-sandboxes-on-aws/ ) '
100- account teams can use to experiment and prototype solutions. Applications should not be operated for customers out of
101- sandbox accounts. The DevOps team should consider enforcing this policy with a governance tool like Cloud Custodian
100+ account teams can use to experiment and prototype solutions. Applications should not be operated for customers out of
101+ sandbox accounts. The DevOps team should consider enforcing this policy with a governance tool like Cloud Custodian
102102that destroys resources some number of days after provisioning, e.g. 10 days.
103103
104104** Project Delivery Accounts**
105105
106- The DevOps team will provision two 'delivery' accounts for each project team: ` dev ` and ` prod ` . Teams will use the
107- ` dev ` account to develop their applications and test application deployments. Applications should be delivered
108- to the production account for operation and use by customers and end users.
106+ The DevOps team will provision two 'delivery' accounts for each project team: ` dev ` and ` prod ` . Teams will use the
107+ ` dev ` account to develop their applications and test application deployments. Applications should be delivered
108+ to the production account for operation and use by customers and end users.
109109
110- The project team is responsible for delivering applications to their accounts with support by the DevOps team.
110+ The project team is responsible for delivering applications to their accounts with support by the DevOps team.
111111
112112Project teams should adopt automated continuous integration to build application artifacts. These artifacts can be
113113stored in:
@@ -120,11 +120,11 @@ The DevOps team recommends that project teams adopt automated continuous deliver
120120
121121** Identities**
122122
123- Each project account will have a limited set of IAM roles for people and services. Helpful Engineers will use the
124- people roles to access the account and configure resources. Helpful Engineering automation and applications will use
125- service roles to deliver and operate applications.
123+ Each project account will have a limited set of IAM roles for people and services. Helpful Engineers will use the
124+ people roles to access the account and configure resources. Helpful Engineering automation and applications will use
125+ service roles to deliver and operate applications.
126126
127- The people roles will be accessed using single sign-on (AWS SSO and/or Azure AD). The standard people roles and
127+ The people roles will be accessed using single sign-on (AWS SSO and/or Azure AD). The standard people roles and
128128their intended uses are:
129129
130130* ` admin ` - Used by DevOps team members to perform emergency operational tasks and initial account configuration
@@ -133,17 +133,17 @@ activities:
133133 * configure resources needed by automated configuration management tools
134134 * file support cases
135135* ` appeng ` - Used by application engineers (developers) to build and manage applications used by either external or
136- internal customers. The ` appeng ` role will start with the managed ` PowerUser ` policy. The ` PowerUser ` policy gives
136+ internal customers. The ` appeng ` role will start with the managed ` PowerUser ` policy. The ` PowerUser ` policy gives
137137application engineers a lot of capabilities, minus the ability to configure IAM.
138138
139- People roles will be defined via [ AWS SSO permission sets] ( https://docs.aws.amazon.com/singlesignon/latest/userguide/permissionsetsconcept.html ) .
139+ People roles will be defined via [ AWS SSO permission sets] ( https://docs.aws.amazon.com/singlesignon/latest/userguide/permissionsetsconcept.html ) .
140140
141141The service roles each project will start with are:
142142
143143* ` delivery-<project name> ` - Used by automation to build, package, and deliver applications & infrastructure via CI/CD.
144144Teams using CI/CD services outside of AWS will likely need a delivery IAM user that instead or in addition to the role.
145- * ` svc-<project name> ` - Used as the application's EC2/Task/Function execution role. The application operates with this
146- identity and attached privileges. When an application has multiple components, we can provision a role for each named
145+ * ` svc-<project name> ` - Used as the application's EC2/Task/Function execution role. The application operates with this
146+ identity and attached privileges. When an application has multiple components, we can provision a role for each named
147147in the form ` svc-<project name>-<component> ` , e.g. ` svc-monitoring-O2-ingress ` and ` svc-monitoring-O2-analyzer ` .
148148* ` aws-controltower-AuditReadOnlyRole ` - The Audit account's ` aws-controltower-AuditReadOnlyRole ` will be used to
149149perform security and compliance audits of project accounts.
0 commit comments