Demonstrates three solutions for building Developer Sandboxes using tags on AWS using Attribute based Access Control(ABAC).
- Project Based EC2 Access
- Individual Access Control
- Highly Flexible and Granular Access Control
Requirements
- Install aws-cdk:
npm install -g aws-cdkorbrew install aws-cdk - Install aws-vault and add your administrator.
brew install aws-vaultor other install methods - Setup your CDK project requirements
- Finally, before deploying you need to configure your account and region values in the
app.pyfile. The default region is set tous-east-2, and your AWS account environment can be set with an variable:export CDK_DEFAULT_ACCOUNT=01234567890 - Now you are ready to proceed to Deploy a Solution
Pre-flight check.
aws-vault exec <Your Admin User> -- cdk synth "solution-1*"
Because our CDK app has multiple stacks, we either need to specify the stack name(s) or use a wildcard.
aws-vault exec <Your Admin User> -- cdk deploy "solution-1*"
Deploy All 3 Solutions:
aws-vault exec <Your Admin User> -- cdk deploy "*"
Note: When you deploy your region must have a default VPC. If needed, create a Default VPC.
Each solution has it's own set of tests, you don't use your administrator account to run these tests. Instead you'll need to find the User created by the CloudFormation Stack. The Solution 1 username would be something like solution-1-vahalla-projec-VahallaDeveloper4EA7C9DC-1QTP7AV1JSXPS, which you can find under the Resources section in the CloudFormation Stack.
- Find the Test User on the CloudFormation Stack
- Create API keys for the that was created.
- Add the User to
aws-vault
Test Solution 1
aws-vault exec <vault profile name> -- pytest tests/test_solution1_project_policy.py
Test Solution 2
aws-vault exec <vault profile name> -- pytest tests/test_solution2_username.py
Test Solution 3
aws-vault exec <vault profile name> -- pytest tests/test_solution3_flexible.py
Note: If you are using Mult-Factor Authentication (MFA) for your administrator accounts. You will need to edit your .aws/config profile you added to include your account MFA arn. AWS CDK does not support MFA
[profile johnadmin]
region=us-east-2
mfa_serial=arn:aws:iam::012345678901:mfa/john.doe.administrator
This project is set up like a standard Python project. The initialization
process also creates a virtualenv within this project, stored under the .env
directory. To create the virtualenv it assumes that there is a python3
(or python for Windows) executable in your path with access to the venv
package. If for any reason the automatic creation of the virtualenv fails,
you can create the virtualenv manually.
To manually create a virtualenv on MacOS and Linux:
python3 -m venv .envAfter the init process completes and the virtualenv is created, you can use the following step to activate your virtualenv.
source .env/bin/activateIf you are a Windows platform, you would activate the virtualenv like this:
% .env\Scripts\activate.bat
Once the virtualenv is activated, you can install the required dependencies.
pip install -r requirements.txtAt this point you can now synthesize the CloudFormation template for this code.
cdk synthTo add additional dependencies, for example other CDK libraries, just add
them to your setup.py file and rerun the pip install -r requirements.txt
command.
cdk lslist all stacks in the appcdk synthemits the synthesized CloudFormation templatecdk deploydeploy this stack to your default AWS account/regioncdk docsopen CDK documentation
Each policy in dev-sandbox/policies/sandbox.py has a permission section labeled sid = "PermissionsForRunningTestsOnly"
Limitations of the Proof of Concept policies:
- Users are not able to create security groups; only existing Security groups can be used.
- No restrictions on AMI usage
- No restrictions on EBS volumes creation
- User's don't have the ability to create Key Pairs for ssh access.