Merge pull request #23 from RealityShift/master

Updating Permissions
TalEliyahu · Sep 7, 2017 · d1a4fc3 · d1a4fc3
2 parents ba85415 + c17c6e1
commit d1a4fc3
Show file tree

Hide file tree

Showing 32 changed files with 128 additions and 111 deletions.
diff --git a/README.md b/README.md
@@ -4,9 +4,9 @@
 
 ## Motivation
 
-Many startups are now setting up on AWS infrastructure, but it’s long before they figure out the importance of IAM’s role. To be fair, it’s of least importance initially, as the necessary time and energy are hard to justify. Rather, businesses should first focus on the product itself. But imagine if there was a hand holding the business owner, making the setup of IAM roles expedient and easy. After all, security is your priority at the outset. Let alone startups, even midsize and some large companies make this crucial mistake and accumulate large tech debt.
+Many startups are now using AWS infrastructure for their company, but being new to AWS, they are unaware of the importance of IAM ROLES. It's hard to remember the importance of your permissions structure when you're just starting out. Our goal is to provide the initial hand holding for the business owner with setting up IAM Roles with basic templates to expedite the process of moving you to AWS. After all, security is of utmost importance, especially starting out. Not starting with the right structure is going to cause accumulation of technical debt.
 
-This project focuses on creating a skeleton of IAM roles for startups, with the ability to get started with little or no modifications. The project focuses on multi-size startups:
+This project focuses on creating a skeleton of IAM roles for startups or any company moving to AWS. This provides the company with the ability to get started with little or no modifications. For new companies (and even old companies), time is money. The less time you need to spend setting up permissions structures in AWS, the more money you have to build your company in other ways. We are here to help. The project focuses on multi-size startup companies:
 
 - Small - 5 people
 - Midsize - ~12 people
@@ -19,15 +19,18 @@ Follow Us On [![alt text][2.1]][2]
 
 ## Role of Security
 
+
 In this project, we try to place security above everything. We are trying to avoid accidental deletions. We are assuming that every team member will log in from known IPs. As an added layer of security, we are making MFA mandatory for every user that logs in, even admins. To add the mandatory MFA, there is a policy called ```forceMfa.json``` that will need to be created and added to a group called ```FORCE_MFA```. Each IAM user to be created, will need to be a part of the ```FORCE_MFA``` group. This policy will deny IAM user's access to AWS resources until they add their MFA and use it to authenticate.
 
+
 ## Assumptions
 
-We are working with the following assumptions:
+Based on best practices in AWS, we are working with the following assumptions:
+
+- Presence of generic job roles.
+- Every user will log in from the companies external IP
+- Use of blacklist instead of whitelist to keep the roles tidy.
 
-Presence of generic job roles.
-In case an employee is wearing multiple hats, make sure you update accordingly. We have tried to block certain destructive actions like bucket deletion, accidental terminations for users who are not AWS admin like frontend and backend engineers.
-Use of blacklist instead of whitelist to keep the roles tidy.
 
 ## Job Profiles
 
@@ -37,7 +40,10 @@ read [ROLES.md](https://github.com/Singapore-Tech-Entrepreneurs/Startup-AWS-IAM-
 
 ## Setting Up Roles
 
-Create groups based on job profiles and attach policy documents from this project. Then create users and assign them to these groups.
+- Create IAM Policies for each Job Type
+- Create IAM Groups for each Job Type with respective IAM Policiy attached
+- Add users to IAM groups based on their position
+- ALL users need added to the FORCE_MFA group which has the FORCE_MFA policy attached.
 
 ## Contributing
 

diff --git a/large/01_Busines Owner.txt b/large/01_Busines Owner.txt
@@ -9,9 +9,6 @@
       "Condition": {
         "IpAddress": {
           "aws:SourceIp": "workplace_ip_address_here"
-        },
-        "Null": {
-          "aws:MultiFactorAuthAge":"false"
         }
       }
     }

diff --git a/large/02_Cloud Architect.txt b/large/02_Cloud Architect.txt
@@ -9,9 +9,6 @@
       "Condition": {
         "IpAddress": {
           "aws:SourceIp": "workplace_ip_address_here"
-        },
-        "Null": {
-          "aws:MultiFactorAuthAge":"false"
         }
       }
     }

diff --git a/large/03_Data Architect.txt b/large/03_Data Architect.txt
@@ -23,9 +23,6 @@
       "Condition": {
         "IpAddress": {
           "aws:SourceIp": "workplace_ip_address_here"
-        },
-        "Null": {
-          "aws:MultiFactorAuthAge":"false"
         }
       }
     },

diff --git a/large/04_Data Scientist.txt b/large/04_Data Scientist.txt
@@ -22,9 +22,6 @@
       "Condition": {
         "IpAddress": {
           "aws:SourceIp": "workplace_ip_address_here"
-        },
-        "Null": {
-          "aws:MultiFactorAuthAge":"false"
         }
       }
     },

diff --git a/large/05_Database Admin.txt b/large/05_Database Admin.txt
@@ -21,9 +21,6 @@
       "Condition": {
         "IpAddress": {
           "aws:SourceIp": "workplace_ip_address_here"
-        },
-        "Null": {
-          "aws:MultiFactorAuthAge":"false"
         }
       }
     },

diff --git a/large/06_Front-End Developer.txt b/large/06_Front-End Developer.txt
@@ -9,16 +9,23 @@
         "sqs:*",
         "cloudfront:*",
         "route53:*",
-        "logs:*"
+        "logs:*",
+        "athena:*",
+        "cloudsearch:*",
+        "elasticloadbalancing:*",
+        "elasticbeanstalk:*",
+        "kinesis:*",
+        "lambda:*",
+        "sts:*",
+        "ses:*",
+        "kms:*",
+        "xray:*"
       ],
       "Effect": "Allow",
       "Resource": "*",
       "Condition": {
         "IpAddress": {
           "aws:SourceIp": "workplace_ip_address_here"
-        },
-        "Null": {
-          "aws:MultiFactorAuthAge":"false"
         }
       }
     },

diff --git a/large/07_Backend_developer.txt b/large/07_Backend_developer.txt
@@ -19,18 +19,21 @@
         "apigateway:*",
         "cloudtrail:*",
         "kms:*",
+        "elasticloadbalancing:*",
         "elasticbeanstalk:*",
+        "sts:*",
+        "ses:*",
         "cognito:*",
-        "xray:*"
+        "kinesis:*",
+        "athena:*",
+        "xray:*",
+        "states:*"
       ],
       "Effect": "Allow",
       "Resource": "*",
       "Condition": {
         "IpAddress": {
           "aws:SourceIp": "workplace_ip_address_here"
-        },
-        "Null": {
-          "aws:MultiFactorAuthAge":"false"
         }
       }
     },

diff --git a/large/08_Full-Stack Developer.txt b/large/08_Full-Stack Developer.txt
@@ -19,20 +19,21 @@
         "apigateway:*",
         "cloudtrail:*",
         "kms:*",
+        "elasticloadbalancing:*",
         "elasticbeanstalk:*",
+        "sts:*",
+        "ses:*",
         "cognito:*",
         "cloudfront:*",
         "route53:*",
-        "xray:*"
+        "xray:*",
+        "states:*"
       ],
       "Effect": "Allow",
       "Resource": "*",
       "Condition": {
         "IpAddress": {
           "aws:SourceIp": "workplace_ip_address_here"
-        },
-        "Null": {
-          "aws:MultiFactorAuthAge":"false"
         }
       }
     },

diff --git a/large/09_Mobile App Developer.txt b/large/09_Mobile App Developer.txt
@@ -18,9 +18,6 @@
       "Condition": {
         "IpAddress": {
           "aws:SourceIp": "workplace_ip_address_here"
-        },
-        "Null": {
-          "aws:MultiFactorAuthAge":"false"
         }
       }
     },

diff --git a/large/20_Software_Developer.txt b/large/20_Software_Developer.txt
@@ -19,18 +19,21 @@
         "apigateway:*",
         "cloudtrail:*",
         "kms:*",
+        "elasticloadbalancing:*",
         "elasticbeanstalk:*",
+        "sts:*",
+        "ses:*",
         "cognito:*",
-        "xray:*"
+        "cloudfront:*",
+        "route53:*",
+        "xray:*",
+        "states:*"
       ],
       "Effect": "Allow",
       "Resource": "*",
       "Condition": {
         "IpAddress": {
           "aws:SourceIp": "workplace_ip_address_here"
-        },
-        "Null": {
-          "aws:MultiFactorAuthAge":"false"
         }
       }
     },

diff --git a/large/21_Framework_Specialists.txt b/large/21_Framework_Specialists.txt
@@ -19,20 +19,21 @@
         "apigateway:*",
         "cloudtrail:*",
         "kms:*",
+        "elasticloadbalancing:*",
         "elasticbeanstalk:*",
+        "sts:*",
+        "ses:*",
         "cognito:*",
         "cloudfront:*",
         "route53:*",
-        "xray:*"
+        "xray:*",
+        "states:*"
       ],
       "Effect": "Allow",
       "Resource": "*",
       "Condition": {
         "IpAddress": {
           "aws:SourceIp": "workplace_ip_address_here"
-        },
-        "Null": {
-          "aws:MultiFactorAuthAge":"false"
         }
       }
     },

diff --git a/large/23_Techinical_Lead.txt b/large/23_Techinical_Lead.txt
@@ -19,18 +19,21 @@
         "apigateway:*",
         "cloudtrail:*",
         "kms:*",
+        "elasticloadbalancing:*",
         "elasticbeanstalk:*",
+        "sts:*",
+        "ses:*",
         "cognito:*",
-        "xray:*"
+        "cloudfront:*",
+        "route53:*",
+        "xray:*",
+        "states:*"
       ],
       "Effect": "Allow",
       "Resource": "*",
       "Condition": {
         "IpAddress": {
           "aws:SourceIp": "workplace_ip_address_here"
-        },
-        "Null": {
-          "aws:MultiFactorAuthAge":"false"
         }
       }
     },

diff --git a/large/24_Devops_Manager.txt b/large/24_Devops_Manager.txt
@@ -9,9 +9,6 @@
       "Condition": {
         "IpAddress": {
           "aws:SourceIp": "workplace_ip_address_here"
-        },
-        "Null": {
-          "aws:MultiFactorAuthAge":"false"
         }
       }
     }

diff --git a/large/27_Security_Sepecialist.txt b/large/27_Security_Sepecialist.txt
@@ -9,9 +9,6 @@
       "Condition": {
         "IpAddress": {
           "aws:SourceIp": "workplace_ip_address_here"
-        },
-        "Null": {
-          "aws:MultiFactorAuthAge":"false"
         }
       }
     },

diff --git a/large/28_QA_Specialist.txt b/large/28_QA_Specialist.txt
@@ -28,9 +28,6 @@
       "Condition": {
         "IpAddress": {
           "aws:SourceIp": "workplace_ip_address_here"
-        },
-        "Null": {
-          "aws:MultiFactorAuthAge":"false"
         }
       }
     },

diff --git a/large/30_BI_Analyst.txt b/large/30_BI_Analyst.txt
@@ -19,9 +19,6 @@
       "Condition": {
         "IpAddress": {
           "aws:SourceIp": "workplace_ip_address_here"
-        },
-        "Null": {
-          "aws:MultiFactorAuthAge":"false"
         }
       }
     }

diff --git a/large/31_Finance_Strategists.txt b/large/31_Finance_Strategists.txt
@@ -5,18 +5,19 @@
       "Sid": "Stmt1503849547380",
       "Action": [
         "trustedadvisor:*",
-        "cloudtrail:*",
+        "cloudtrail:Get*",
+        "cloudtrail:LookupEvents",
+        "cloudtrail:Describe*",
+        "s3:Get*"
         "budgets:*",
-        "aws-portal:*"
+        "aws-portal:*",
+        "cur:*"
       ]
       "Effect": "Allow",
       "Resource": "*",
       "Condition": {
         "IpAddress": {
           "aws:SourceIp": "workplace_ip_address_here"
-        },
-        "Null": {
-          "aws:MultiFactorAuthAge":"false"
         }
       }
     }

diff --git a/midsize/01_Busines Owner.txt b/midsize/01_Busines Owner.txt
@@ -9,9 +9,6 @@
       "Condition": {
         "IpAddress": {
           "aws:SourceIp": "workplace_ip_address_here"
-        },
-        "Null": {
-          "aws:MultiFactorAuthAge":"false"
         }
       }
     }

diff --git a/midsize/02_Front-End Developer.txt b/midsize/02_Front-End Developer.txt
@@ -9,16 +9,23 @@
         "sqs:*",
         "cloudfront:*",
         "route53:*",
-        "logs:*"
+        "logs:*",
+        "athena:*",
+        "cloudsearch:*",
+        "elasticloadbalancing:*",
+        "elasticbeanstalk:*",
+        "kinesis:*",
+        "lambda:*",
+        "sts:*",
+        "ses:*",
+        "kms:*",
+        "xray:*"
       ],
       "Effect": "Allow",
       "Resource": "*",
       "Condition": {
         "IpAddress": {
           "aws:SourceIp": "workplace_ip_address_here"
-        },
-        "Null": {
-          "aws:MultiFactorAuthAge":"false"
         }
       }
     },

diff --git a/midsize/03_Backend_developer.txt b/midsize/03_Backend_developer.txt
@@ -19,18 +19,21 @@
         "apigateway:*",
         "cloudtrail:*",
         "kms:*",
+        "elasticloadbalancing:*",
         "elasticbeanstalk:*",
+        "sts:*",
+        "ses:*",
         "cognito:*",
-        "xray:*"
+        "kinesis:*",
+        "athena:*",
+        "xray:*",
+        "states:*"
       ],
       "Effect": "Allow",
       "Resource": "*",
       "Condition": {
         "IpAddress": {
           "aws:SourceIp": "workplace_ip_address_here"
-        },
-        "Null": {
-          "aws:MultiFactorAuthAge":"false"
         }
       }
     },