Skip to content

snirad/self-service-iam

 
 

Repository files navigation

Self-Service Cloud Security

AWS Cloudformation templates for self-service IAM policies. These allow your engineering team to manage their own users, keys and permissions at scale, in development. This approach should not be used in production. See our full blog post with instructions on how to use here.

These templates split users up into three types: Admins, Engineers and Service users. Admins can manage all users and Engineers can manage their own keys and permissions, which are isolated in S3 with IAM variables.

Example policy allowing engineers to manage their own users in isolation:

{
  "Sid": "AllowEngineeringToSubUsers",
  "Effect": "Allow",
  "Action": [
    "iam:CreateUser",
    "..."
  ],
  "Resource": [
    {"Fn::Join" :
      [ "",[ "arn:aws:iam::", { "Ref": "AWS::AccountId" } ,":user/${aws:username}-*"]]
    }
  ],
  "Condition" : {
    "Null": {"aws:MultiFactorAuthAge":"false"},
    "Bool": {"aws:SecureTransport":"true"}
  }
}

About

Self Service AWS IAM Policies for dev at scale

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • JavaScript 100.0%