Skip to content
This repository has been archived by the owner on Jan 20, 2020. It is now read-only.
/ self-service-iam Public archive

DEPRECATED — Self Service AWS IAM Policies for dev at scale

License

Notifications You must be signed in to change notification settings

coinbase/self-service-iam

Repository files navigation

Self-Service Cloud Security

AWS Cloudformation templates for self-service IAM policies. These allow your engineering team to manage their own users, keys and permissions at scale, in development. This approach should not be used in production. See our full blog post with instructions on how to use here.

These templates split users up into three types: Admins, Engineers and Service users. Admins can manage all users and Engineers can manage their own keys and permissions, which are isolated in S3 with IAM variables.

Example policy allowing engineers to manage their own users in isolation:

{
  "Sid": "AllowEngineeringToSubUsers",
  "Effect": "Allow",
  "Action": [
    "iam:CreateUser",
    "..."
  ],
  "Resource": [
    {"Fn::Join" :
      [ "",[ "arn:aws:iam::", { "Ref": "AWS::AccountId" } ,":user/${aws:username}-*"]]
    }
  ],
  "Condition" : {
    "Null": {"aws:MultiFactorAuthAge":"false"},
    "Bool": {"aws:SecureTransport":"true"}
  }
}

About

DEPRECATED — Self Service AWS IAM Policies for dev at scale

Resources

License

Security policy

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published