Tutorial: AWS Vault (#1)

jacknagz · web-flow · commit 79f4c057e585 · 2019-10-08T16:37:03.000-07:00
* [aws-vault] CloudFormation templates

* [aws-vault] Sample vault config

* [repo] codeowners and pr template

* [aws-vault] add Makefile, rename iam-roles template
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -0,0 +1,2 @@
+# These owners will be the default owners for everything in the repo.
+*       @austinbyers @drixta @jacknagz
diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
@@ -0,0 +1,11 @@
+### Background
+
+<High level overview here>
+
+### Changes
+
+* <Describe changes here>
+
+### Testing
+
+* <Testing steps>
diff --git a/Makefile b/Makefile
@@ -0,0 +1,2 @@
+deploy:
+	aws cloudformation deploy --stack-name $(stack) --template-file $(tutorial)/cloudformation/$(stack).yml --region $(region) --capabilities CAPABILITY_NAMED_IAM
diff --git a/aws-vault/cloudformation/identity-account-iam-groups.yml b/aws-vault/cloudformation/identity-account-iam-groups.yml
@@ -0,0 +1,148 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: IAM groups, membership, and policies
+
+Mappings:
+  Accounts:
+    Production:
+      AccountId: '123456789012'
+
+Resources:
+  ##### Force MFA #####
+
+  ForceMFAGroup:
+    Type: AWS::IAM::Group
+    Properties:
+      GroupName: ForceMFA
+
+  # Important: All users in the Identity account must be listed in this group.
+  ForceMFAMembership:
+    Type: AWS::IAM::UserToGroupAddition
+    Properties:
+      GroupName: !Ref ForceMFAGroup
+      Users:
+        - !ImportValue FranklinUserName
+
+  # https://amzn.to/2APP3dl
+  ForceMFAPolicy:
+    Type: AWS::IAM::Policy
+    Properties:
+      PolicyName: ForceMFA
+      Groups:
+        - !Ref ForceMFAGroup
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          -
+            Sid: AllowViewAccountInfo
+            Effect: Allow
+            Action:
+              - iam:GetAccountPasswordPolicy
+              - iam:GetAccountSummary
+              - iam:ListVirtualMFADevices
+            Resource: '*'
+          -
+            Sid: AllowManageOwnPasswords
+            Effect: Allow
+            Action:
+              - iam:ChangePassword
+              - iam:GetUser
+            Resource: arn:aws:iam::*:user/${aws:username}
+          -
+            Sid: AllowManageOwnAccessKeys
+            Effect: Allow
+            Action:
+              - iam:CreateAccessKey
+              - iam:DeleteAccessKey
+              - iam:ListAccessKeys
+              - iam:UpdateAccessKey
+            Resource: arn:aws:iam::*:user/${aws:username}
+          -
+            Sid: AllowManageOwnSigningCertificates
+            Effect: Allow
+            Action:
+              - iam:DeleteSigningCertificate
+              - iam:ListSigningCertificates
+              - iam:UpdateSigningCertificate
+              - iam:UploadSigningCertificate
+            Resource: arn:aws:iam::*:user/${aws:username}
+          -
+            Sid: AllowManageOwnSSHPublicKeys
+            Effect: Allow
+            Action:
+              - iam:DeleteSSHPublicKey
+              - iam:GetSSHPublicKey
+              - iam:ListSSHPublicKeys
+              - iam:UpdateSSHPublicKey
+              - iam:UploadSSHPublicKey
+            Resource: arn:aws:iam::*:user/${aws:username}
+          -
+            Sid: AllowManageOwnGitCredentials
+            Effect: Allow
+            Action:
+              - iam:CreateServiceSpecificCredential
+              - iam:DeleteServiceSpecificCredential
+              - iam:ListServiceSpecificCredentials
+              - iam:ResetServiceSpecificCredential
+              - iam:UpdateServiceSpecificCredential
+            Resource: arn:aws:iam::*:user/${aws:username}
+          -
+            Sid: AllowManageOwnVirtualMFADevice
+            Effect: Allow
+            Action:
+              - iam:CreateVirtualMFADevice
+              - iam:DeleteVirtualMFADevice
+            Resource: arn:aws:iam::*:mfa/${aws:username}
+          -
+            Sid: AllowManageOwnUserMFA
+            Effect: Allow
+            Action:
+              - iam:DeactivateMFADevice
+              - iam:EnableMFADevice
+              - iam:ListMFADevices
+              - iam:ResyncMFADevice
+            Resource: arn:aws:iam::*:user/${aws:username}
+          -
+            Sid: DenyAllExceptListedIfNoMFA
+            Effect: Deny
+            NotAction:
+              - iam:CreateVirtualMFADevice
+              - iam:EnableMFADevice
+              - iam:GetUser
+              - iam:ListMFADevices
+              - iam:ListVirtualMFADevices
+              - iam:ResyncMFADevice
+              - sts:GetSessionToken
+            Resource: '*'
+            Condition:
+              BoolIfExists:
+                aws:MultiFactorAuthPresent: 'false'
+
+  ##### Allow Users to AssumeRole in other accounts #####
+
+  WebAdminGroup:
+    Type: AWS::IAM::Group
+    Properties:
+      GroupName: WebAdmin
+
+  WebAdminGroupPolicy:
+    Type: AWS::IAM::Policy
+    Properties:
+      PolicyName: AllowAssumeWebAdminRole
+      Groups:
+        - !Ref WebAdminGroup
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          -
+            Effect: Allow
+            Action: sts:AssumeRole
+            Resource: !Sub
+              - arn:aws:iam::${AccountId}:role/WebAdmin
+              - { AccountId: !FindInMap [ Accounts, Production, AccountId ] }
+
+  WebAdminGroupMembership:
+    Type: AWS::IAM::UserToGroupAddition
+    Properties:
+      GroupName: !Ref WebAdminGroup
+      Users:
+        - !ImportValue FranklinUserName
diff --git a/aws-vault/cloudformation/identity-account-iam-users.yml b/aws-vault/cloudformation/identity-account-iam-users.yml
@@ -0,0 +1,14 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: IAM user accounts
+
+Resources:
+  Franklin:
+      Type: AWS::IAM::User
+      Properties:
+        UserName: franklin
+
+Outputs:
+  FranklinUserName:
+    Value: !Ref Franklin
+    Export:
+      Name: FranklinUserName
diff --git a/aws-vault/cloudformation/production-account-iam-roles.yml b/aws-vault/cloudformation/production-account-iam-roles.yml
@@ -0,0 +1,33 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: IAM roles to perform specific actions
+
+Mappings:
+  Accounts:
+    Identity:
+      AccountId: '234567890123'
+
+Resources:
+  WebAdminRole:
+    Type: AWS::IAM::Role
+    Properties:
+      AssumeRolePolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          -
+            Effect: Allow
+            Principal:
+              # The account that can assume the role
+              AWS: !FindInMap [ Accounts, Identity, AccountId ]
+            Action: sts:AssumeRole
+            Condition:
+              Bool:
+                # Enforce MFA and SSL
+                aws:MultiFactorAuthPresent: true
+                aws:SecureTransport: true
+              NumericLessThan:
+                aws:MultiFactorAuthAge: 3600
+      ManagedPolicyArns:
+        - arn:aws:iam::aws:policy/AWSElasticBeanstalkFullAccess
+      # The temporary credentials last for one hour
+      MaxSessionDuration: 3600
+      RoleName: WebAdmin
diff --git a/aws-vault/example_vault_config b/aws-vault/example_vault_config
@@ -0,0 +1,5 @@
+###### web-admin #####
+[profile web-admin]
+source_profile = identity
+role_arn = arn:aws:iam::123456789012:role/WebAdmin
+mfa_serial = arn:aws:iam::234567890123:mfa/franklin

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+# These owners will be the default owners for everything in the repo.`
	`2`	`+* @austinbyers @drixta @jacknagz`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+deploy:`
	`2`	`+ aws cloudformation deploy --stack-name $(stack) --template-file $(tutorial)/cloudformation/$(stack).yml --region $(region) --capabilities CAPABILITY_NAMED_IAM`