Flux7 Flux7
  • Digital Innovation
      • Digital Innovation
      Enable Software Innovation
      • CI/CD: Accelerate Deployments Through Pipelines
      • Containers Infrastructure:Improve Agility with Containers
      • Build:Custom Toolchain Deployment
      • Microservices: Speed Application Development
      • HPC:Product Design & Simulation
      • Renovate:Application Migration to the Cloud
      • Serverless:Innovate at the Speed of the Market
      Scale Enterprise DevOps
      • AWS DevOps Consulting:  Refactor Large Quantities of Apps to AWS
      • Cloud-Native Architectures: Accelerate Business with Cloud-Native Services
  • Operational Excellence
      • Services
      Cloud Implementation Services
      • Cloud Migration Services: Streamline Your Cloud Migration
      • Build Cloud Foundations: Accelerate Adoption with Strong Cloud Foundations
      • ISV Workloads on Cloud: Defined Solutions and Proven IP
      • High-Performance Computing Services: Exploit Cloud Elasticity and Scalability
      Enforce Security and Compliance
      • Automate Compliance: Meet Corporate and Legal Requirements
      • Web Application Firewall:Protect Vital Data and Functions

      Our landing zones on AWS emphasizes training, documentation, and resources to help teams new to AWS get the skills they need for long-term business agility.

      Gain a Landing Zone That Fits Your Needs Today

  • Industries
      • Industries
       
      • Energy:Cloud Solutions for the Energy Industry
      • Finance: Secure Infrastructure for Improved Customer Service and Analytics
      • Healthcare & Life Sciences: Meet Security & Compliance Requirements
      • Hospitality: Increase Customer Acquisition
       
      • Manufacturing: Innovation with Digital Transformation
      • Retail:Grow Customer Loyalty and Lifetime Value
      • Semiconductor: Legacy Modernization Services
      • Software:Grow Developer Agility and Application Reliability
       

      Read our industry success stories and the benefits our customers saw

      Read the Case Studies

  • Tech
      • Tech
      Flux7 Tech
      • DevOps Toolchain: Reduce DevOps Challenges
      • Amazon Web Services: Reduce Complexities and Risks in AWS Architectures
      • AWS Database Services: Design and Implementation of Infrastructure for Cloud-Based Databases
      Configuration
      • Cloud Configuration: Gain Greater Consistency, Repeatability & Agility
      • HashiCorp Terraform: Defining Infrastructure as Code 
      • AWS CloudFormation: Reduce Maintenance and Improve Security
      Containers
      • Container Infrastructure: Improve Agility with Containers
      • Docker: Build, Ship and Run Applications Anywhere
      • Kubernetes: Container Consulting Services
      • Red Hat OpenShift: Speed Code Delivery

      Rapidly adopt technology to achieve Infrastructure as Code and continuous delivery and support of applications and workloads.

      Create Your DevOps Toolchain

  • Resources
      • Resources
      Research & Reports
      • Analyst Insights & Reports
      • Blog
      • Case Studies
      • White Papers
      News & Events
      • Events Calendar
      • Newsroom
      • Press Releases
      Flux7 Academy
      • Tech Tutorials

      Read about what we do, how we do it and how our customer's benefit from our solutions.

      Read and Download Our Case Studies

  • About
      • About Flux7
      Get To Know Us
      • About Flux7
      • Awards & Recognitions
      • Meet Our Team
      Work With Us
      • Careers
      • Our Culture
      Partner With Us
      • Flux7 partners with technology vendors who deliver solutions to help our customers address scalability, security, reduce the cost of infrastructure delivery and improve speed to market.

      Welcome to Flux7! Get to know us a bit better and discover what makes us different than other DevOps Consultants.

      Discover What Makes Us Different

  • Contact us
An NTT DATA Company

Login Contact us

IAM Roles as IaC for Secured Access Control of Business Accounts

IAM Roles as IaC for Secured Access Control of Business Accounts

By Flux7 Labs
November 21, 2019

Experts agree that the biggest security threat comes from inside the business. While reports of breaches from insider threats range from Security Intelligence’s 75% to 60% in an IBM survey, the overarching point is clear: intentionally or unintentionally employees present the biggest security risk. Identity and Access Management (IAM) helps address this threat by applying the principle of least privilege, keeping the business safe by allowing internal employees, external customers, and business partners access to only those resources necessary to perform their function.

 

In today’s blog post, we focus on how the DevSecOps team at Flux7 helped a hospitality giant use IAM roles as Infrastructure as Code (IaC) for secured access control for its team members.

For additional background reading, check out our blog, AWS Security Best Practices: Attach or Replace AWS IAM Roles to Existing EC2 Instances

Read the Blog

With multiple AWS accounts, controlling access to them can be challenging. Keeping track of IAM roles and policies in each account also adds complexity. As the customer’s infrastructure team manually updates roles and policies through the AWS Console whenever there is an access request or updates to multiple accounts, the team spends countless hours on complex, distributed, manual tasks — tasks that lack control and open the door to human error.

 

Interested in streamlining this process, the customer turned to the AWS consultants at Flux7. The goal: convert IAM policies and roles into code and store them in a version control system (such as GitHub) so that IAM roles are created automatically in multiple accounts, saving time and effort. 

 

Flux7 helps the customer automate this process with a Jenkins pipeline that centralizes the IAM role, policy management, and deployment. This pipeline not only simplifies the role and policy management but also provides the ability to reuse code to add more roles through code. Before we look at the details of the IAM pipeline solution, let’s quickly review IAM Roles and Policies.

 

IAM Roles

IAM Roles allow you to define a set of permissions to access AWS resources. The roles are not attached to a particular user or group. Instead, IAM users, applications or services can programmatically assume a role to make AWS requests. Specifically, IAM Roles allow operators to perform three different functions: 

1) Create users in AWS’s identity management system and assign users individual security credentials. 

2) Request temporary security credentials to provide users access to AWS services and resources.

3) Manage access for federated users, providing security credentials with configurable expirations for users in a corporate directory, thereby giving employees and applications secure access to resources in an AWS account without creating an IAM user account for them. 

With this background in mind, we created temporary security credentials for this organization’s team members, with the help of Okta’s Workforce Identity solution. 

 

IAM Policies 

Policies, defined in a policy document, determine the type of permissions that can be granted. When the policy document is attached to a user, group, or role, the permissions defined within that policy are automatically applied.  

For more information, refer to Policies and Permissions. 

IAM Roles and Policies as IaC

For the customer, Flux7 created an IAM Access Git repository to store IAM roles and policies; we then created an IAM Access pipeline. As you can see here, the deployment pipeline automates the process of deploying IAM roles and policies, as defined in the repository, to multiple accounts.

IAM Roles and Policies as IaC

IAM Roles and Policies as IaC Workflow

IAM Access Repository

The GitHub IAM Access Repository contains the following:

iam_roles_policies.yaml – This AWS CloudFormation template defines different IAM components like IAM Roles or IAM Policies. It can be used to modify — add, update or remove — any of the IAM roles and policies. This is the main file used to deploy IAM Resources in any AWS Account.

master-var.yaml – This is a file for variables and used for storing parameters that are consumed by the iam_roles_policies.yaml file.

pipeline-properties.yaml – This is a file for properties and has fields that are utilized by the Jenkinsfile to fill in certain variables. For example, the necessary account name is used for the stage (“Deploying IAM Roles/Policies to ${account_name}”).

IAM Access Pipeline

An IAM Access Pipeline was developed and deployed in a Jenkins instance. The purpose of the IAM Access Pipeline is to pull code from the IAM Access repository and deploy each IAM role and access policy (as defined in the CloudFormation template) to customer’s multiple AWS accounts.  

IAM Access Pipeline

At one minute intervals, the pipeline monitors the repository for build triggers. If a role or policy was added to the iam_roles_policies.yaml file and properly merged through the master branch, the pipeline initiates a Jenkins build to generate the CloudFormation template. You can see here the pipeline stages as it deploys roles and policies across multiple AWS accounts.

IAM Access Pipeline Stage View

This solution helps the customer deploy and manage roles and policies with greater control, and fewer human errors across its nine AWS accounts.

AWS Security Best Practices Benefits

Using IAM Roles and Policies as IaC benefits the customer with a solution that is: 

Centralized and simplified. Now it is easy to deploy and manage roles and policies for multiple accounts as they are all accessible from one place. 

Saves time by removing the use of the AWS Console and the manual deployment of roles and policies in multiple accounts. 

Quick and easy to automatically add roles and policies with best practices, rather than relying on manual processes.

Offers secure access control to accounts by tracking all related roles and policies.

Reusable, flexible and customizable, allowing the customer to add more roles and policies through code, as needed.  

Auditable as IaC allows the customer to see how its code and roles evolve over time (Change Log).

Identity and Access Management (IAM) applies the principle of least privilege, keeping the business safe by allowing internal employees access to only those resources necessary to perform their function. Moreover, the IAM IaC solution protects this hospitality giant through temporary credentials that ensure former employees — or employees with changed roles — do not have access to systems where they can create unnecessary disruption.

In addition, IAM roles have their own advantages in defining a set of permissions to access AWS resources. By converting IAM policies and roles into code and storing them in a version control system, we can automatically create roles and policies in multiple accounts, saving time and effort. Flux7 created an IAM Access pipeline that automates the process of deploying IAM roles and policies. 

Interested in how the IAM roles as IAC automation efforts such as this help improve the secured access control of business accounts? Reach out today:

Contact Us

Technology is always changing. Stay in the loop with the Flux7 Blog

Subscribe to the Flux7 Blog

Written by Flux7 Labs

Flux7 is the only Sherpa on the DevOps journey that assesses, designs, and teaches while implementing a holistic solution for its enterprise customers, thus giving its clients the skills needed to manage and expand on the technology moving forward. Not a reseller or an MSP, Flux7 recommendations are 100% focused on customer requirements and creating the most efficient infrastructure possible that automates operations, streamlines and enhances development, and supports specific business goals.

Share This Article
Facebook Twitter Pinterest Linkedin
Prev Post
Next Post

Related Articles

IT Modernization and DevOps News Week in Review 1.18.2021
By Flux7 Labs
January 18, 2021

IT Modernization and DevOps News Week in Review 1.18.2021

READ MORE
re:Invent Round-Up of AWS DevOps Announcements
By Flux7 Labs
December 21, 2020

re:Invent Round-Up of AWS DevOps Announcements

READ MORE

Recent Posts

  • IT Modernization and DevOps News Week in Review 1.18.2021

  • re:Invent Round-Up of AWS DevOps Announcements

  • How Will SASE Change Networking in 2021?

  • AWS re:Invent Machine Learning Round-Up

  • How to Publish Managed Images to the Azure Marketplace

  • AWS re:Invent News Round-Up

  • Shave Days off Azure Marketplace Publishing with Automated Testing

  • IT Modernization and DevOps News Week in Review 11.30.2020

  • How To: Multi-Cluster Monitoring in Amazon EKS

  • IT Modernization and DevOps News Week in Review 11.16.2020

Flux7
  • About Flux7
  • Contact Us
  • Careers at Flux7
  • Newsroom
  • Meet our Team
Services
  • Enable Software Innovation
  • Enforce Security and Compliance
  • Adopt Cloud
  • Cloud Migration Services
  • Secure the Cloud
Resources
  • Analysts Reports
  • Case Studies
  • White Papers
About Flux7

Flux7, an NTT DATA Company, helps enterprises reduce the complexities of new and evolving cloud automation strategies. Agile and DevOps-native, Flux7’s robust IT services portfolio prioritizes a fast path to ROI, is transformation focused and creates secure and stable pathways for operational excellence.

Follow Us
Flux7, an NTT DATA Company | All Rights Reserved | Privacy Policy