Page tree

Skip to end of metadata
Go to start of metadata

Overview

The purpose of these IAM automated safeguards is two-fold;

  1. To ensure that, as a customer, you can leverage proper IT governance when using ClearDATA by having granular control over which of your users can perform which functions (Identity Safeguards)
  2. To ensure that, as customer, you can have direct access to the AWS API and console, while still ensuring your compliance stance is maintained (API Safeguards)

Creating Users

ClearDATA will start you off with an Administrator account, which will allow you to create users and assign them to groups. This Administrator is configured as part of the on boarding process and is assigned to the DPHI-Administrators group. Members of this group are IAM users who can administer users on the /cleardata/customer/ path:

On the ClearDATA AWS Platform, you are only allowed to create users on a specific IAM path/cleardata/customer/.  Because the AWS Console does not support setting a path on user creation, you must use the AWS CLI to create users.  Once the administrator has configured their machine with their IAM keys, you can run a create-user command 

aws iam create-user --path /cleardata/customer/ --user-name USERNAME

Once a user is created, assigning this user to groups can be done from the console - Security credentials for user can also be configured in the console. Of course, the AWS CLI can still be used to manage the user - As an example, once a user has been created, it can be assigned to a group using the add-user-to-group command:

aws iam add-user-to-group --group-name GROUPNAME --user-name USERNAME

Available groups

Users can be assigned by a member of the DPHI-Administrators group to up to five groups. The table below provides the initial list of groups that is deployed in an AWS account 

Group
Description
DPHI-SuperUserA group that encompasses all the other groups except DPHI-Administrators
DPHI-CloudformationUnrestricted Cloudformation rights (remember, you'd also need rights to the individual components Cloudformation would spin up)
DPHI-CloudfrontCloudfront, ELB, IAM, S3 and Cloudwatch rights necessary to use cloudfront.
DPHI-CloudwatchCloudwatch metrics and logging rights
DPHI-EcsUnrestricted ECS and ECR rights for use with the ClearDATA Container Product
DPHI-Ec2EC2 rights to spin up instances that are
  • from AMI that are tagged cleardata:customer-allow
  • in security groups that are tagged cleardata:customer-allow
DPHI-KmsKMS use
DPHI-LambdaLambda use
DPHI-LoadBalancingAllows updating of SSL certificate, registering/deregistering instances from the LB, modify target groups in ALBs
DPHI-ReadOnlyRead-only access to pretty much everything except IAM
DPHI-Route53Unrestricted Route53 use
DPHI-S3S3 use
DPHI-SesSES use
DPHI-SnsSNS use
DPHI-SqsSQS use
DPHI-WafWAF use

Additional groups and policies can be created by our Entourage to meet your API and console access requirements

Please contact our Entourage team should you need more information on the reference architectures associated with the permissible AWS services

  • No labels