Formed in 2009, the Archive Team (not to be confused with the archive.org Archive-It Team) is a rogue archivist collective dedicated to saving copies of rapidly dying or deleted websites for the sake of history and digital heritage. The group is 100% composed of volunteers and interested parties, and has expanded into a large amount of related projects for saving online and digital history.
aws-iam-manager
Manage multiple AWS Account IAM Users, Groups and Policies using Github Repository & Cross-Account access with simple AWS Lambda function based on-top Serverless framework.
Overview
Basing on repository contents, AWS-IAM-Manager (AIM) will create users, assign to specific groups with attached policies.
Prerequisities
- Node.js LTS or newer
- Serverless Framework
Deploying
- Run
npm run prepare-secretand fill out values insecrets.yml - Execute
npm run deployand wait for results. This will deploy a function receiving events from Amazon Simple Notification Service. Those events will be sent from Github when your repository contents change (putting to SNS topic/queue). By default, function will be deployed to US East (N. Virginia).
Setting up webhook
In order to integrate AWS Lambda with Github repo, you have to create a Webhook which will send data through AWS SNS. Here's how to do that:
- Go to
https://console.aws.amazon.com/iam/home?region=<YOUR_REGION_NAME>#/users/<YOUR_USER>?section=security_credentialsand clickCreate access key. Wait couple seconds to generate and then download generated CSV file or copyAccess Key&Secret access key. You'll need that to setup Github hook. - Go to
https://console.aws.amazon.com/lambda/home?region=us-east-1#/functions/aws-iam-manager-dev-IAMManagerSNSHandler?tab=triggersand copy the value underSNS: IAMManagerNotifyTopiclike in the image below: Here is where we find SNS Topic Amazon Resource Name
It will look like this: arn:aws:sns:us-east-1:<YOUR_AWS_ACC_NUMBER>:IAMManagerNotifyTopic. Make sure you are inus-east-1region, as shown in the picture above. - Go to
https://github.com/YOUR_NAME/REPO/settings/hooks/new?service=amazonsnsand fill form with data you retrieved in steps 2 & 3. Lastly, clickAdd Service. - Now
aws-iam-managerwill continuously monitor your GitHub repo and reflect changes on AWS accounts.
Setup
AIM is capable of managing accounts with Cross-Account access. In order to do that we need to do three things:
- Establish a trust relationship between
Slaveaccount andMasterAccount (account where our Lambda is deployed). Tutorial how to do that here - Create Policy document allowing our Lambda to assume role of other accounts IAM role. Tutorial how to do that here
- Update accounts configuration in DynamoDB table called
aim_roles. Tutorial how to do that here
How it works
Once a change is made to a master branch code, a Webhook send an event through SNS to AWS Lambda. Lambda code downloads whole repository. Going folder by folder, it impersonates other account roles using Cross-Account access credentials which are stored inside DynamoDB table aim_users.
Once impersonated, code detects any differences between code from repository and IAM state and applies any needed changes. If any new user gets created, it sends an email using AWS SES to system administrator and user that has been just created.
After processing account, Lambda switches its role back and starts processing another folder-account until it traverses whole repository.
Repository Structure
Files structure
/repo_root
βββ account_one
| βββ users.yml
| βββ groups.yml
| βββ policies.yml
βββ account_two
βββ users.yml
βββ groups.yml
βββ policies.yml
Sample files
users.yml
users:
- sample.user
- another.user
policies.yml
policies:
- name: s3-list-bucket-access-policy
document:
Version: '2012-10-17'
Statement:
Effect: Allow
Action: s3:ListBucket
Resource: arn:aws:s3:::*
groups.yml
groups:
- name: developers
policy: s3-list-bucket-access-policy
users:
- sample.user
- name: developers-two
policy: s3-list-bucket-access-policy
users:
- another.user
Following setup will create two users, two groups and one policy. User sample.user will be joined to developers group while another.user will be joined to developers-two group. Both groups will receive rights to perform list-buckets action on all S3 Buckets because of attached s3-list-bucket-access-policy policy.
Private Repositories
In case your repository is private you need to include access_token in every request to Github API. To do that, generate new Personal Access Token and copy that to secrets.yml GITHUB_ACCESS_TOKEN.
Local Development
For ease and speed of development it's highly recommended to test code locally using npm run invoke script which will run function locally with data from event.json.
For nicer output you should also consider installing bunyan globally. If not, feel free to remove | bunyan part from package.json.