Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AWS Account Federation #12

Closed
kj4ezj opened this issue Dec 13, 2022 · 2 comments
Closed

AWS Account Federation #12

kj4ezj opened this issue Dec 13, 2022 · 2 comments
Assignees
@kj4ezj
Labels
Infrastructure Cloud or physical datacenter infrastructure

Comments

@kj4ezj
Copy link
Contributor

kj4ezj commented Dec 13, 2022
edited
Loading

Background

As discussed in issue 5, both Amazon Web Services (AWS) best practices and Google Cloud Platform (GCP) best practices recommend that any organization distribute their cloud infrastructure among multiple accounts, to use AWS terminology. The EOS Network Foundation (ENF) is now doing this.

Problem

ENF cloud infrastructure administrators currently juggle multiple logins to access the different AWS accounts in use. While administrators of the ENF organization do retain absolute control over all accounts and resources, there is not a clear pattern for anyone to use their existing credentials to access resources in new accounts. This creates friction for internal customers as well as unnecessary complexity and opacity for administrators. Relying on humans to secure multiple sets of credentials also increases risk exposure.

Solution

The EOS Network Foundation needs to implement federated logins within our Amazon Web Services organization. We can accomplish this with our existing resources by federating our Google Workspace (Gsuite) accounts into the AWS IAM identity center as described here and here. This will empower cloud administrators to use the AWS IAM Identity Center to grant individuals and teams access to cloud resources across the organization based on need using identity and access management (IAM). This also simplifies off-boarding by implicitly revoking access to AWS resources when access to Google resources (Drive, Gmail, GCP, etc.) are revoked.

This type of user access will be portable across the organization no matter how many AWS accounts are created for different systems. One or more select organization administrators would still be required to maintain a login detached from Google to the management account, but administrators logging in using Federation would have visibility into the whole organization by default as defined by our IAM policy.
@kj4ezj kj4ezj added the Infrastructure Cloud or physical datacenter infrastructure label Dec 13, 2022
@kj4ezj kj4ezj self-assigned this Dec 13, 2022
@kj4ezj kj4ezj moved this to Todo in ENF Engineering Dec 13, 2022
@kj4ezj kj4ezj moved this from Todo to Awaiting Review in ENF Engineering Dec 13, 2022
@kj4ezj
Copy link
Contributor Author

kj4ezj commented Dec 13, 2022

I believe this is a prerequisite to issue 5.

@kj4ezj kj4ezj mentioned this issue Dec 13, 2022
Closed
@kj4ezj kj4ezj mentioned this issue Jan 10, 2023
Open
@stephenpdeos stephenpdeos moved this from Awaiting Review to In Progress in ENF Engineering Mar 16, 2023
@stephenpdeos stephenpdeos mentioned this issue Mar 16, 2023
Open
4 tasks
@stephenpdeos
Copy link
Member

This proposal has been rejected so we are returning to an evaluation phase.

@stephenpdeos stephenpdeos closed this as not planned Won't fix, can't repro, duplicate, stale Mar 16, 2023
@github-project-automation github-project-automation bot moved this from In Progress to Done in ENF Engineering Mar 16, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kj4ezj kj4ezj

Labels
Infrastructure Cloud or physical datacenter infrastructure
Projects
ENF Engineering
Status: Done
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kj4ezj @stephenpdeos