Bootstrap AWS Client as a Unicorn 🦄

Par Jonathan Martineau | 31 July, 2018

Source Code Available Here

AWS Client Bootstrap What !?

AWS Client Bootstrap is the name we gave to our automation tools to bootstrap an AWS client account and give access to the Unicorn Powered team in the client environment. Also known as Cross-Account Access.

How it works

Prerequisites

  • A Unicorn Powered AWS account id
  • A client AWS account that you want to have access via Switch Roles

Introduction

Everything is done in Cloud Formation. That way, the client simply need to add a stack in the CloudFormation service and voila. No special knowledge is required.

Client Side

In reality, the client contains 2 stacks : a parent stack and a child stack. The reason behind this choice is the notifications handling. That way, the parent stack can receive every notification with Amazon Simple Notification Service (SNS) about the child stack.

The parent stack contains a child stack, a SNS topic/subscription and a Lambda with permission.

Child stack : Create an IAM Role with the Unicorn Powered AWS account id for the action sts:AssumeRole with AdministratorAccess.
SNS Topic : Receive every notification about the child stack. i.e. STACK_CREATE, STACK_COMPLETE, STACK_DELETE …
SNS Subscription : Subscribe the lambda to the SNS Topic below. That way, the lambda receives every notification of the SNS Topic.
Lambda : The lambda takes the SNS message, add the client information (account id, company name, role name) and send the data to the Unicorn Powered endpoint URL.

Our Side

The unicorn powered stack is built on Chalice. Chalice create a simple rest API in Python that runs on Amazon API Gateway and AWS Lambda.

  1. The data (SNS message, account id, company name, role name) is received via the endpoint URL by the Lambda.
    • If the status is CREATE_COMPLETE or UPDATE_COMPLETE, create or update the stack*.
    • If the status is DELETE_COMPLETE, delete the stack if exist.
  2. Send mail with the new client information to the company.

*The stack consists of an IAM Group with a policy action sts:AssumeRole for the resource arn:aws:iam::${ClientAccountId}:role/${RoleName}

Conclusion

Every IAM User in the IAM Group can now Switch Roles using the AWS client account id and the role name (sent by email).

Pros :

  • Easy to setup for the client
  • No special knowledge required for the client
  • Access AWS client account without account management (i.e. billing)
  • Reusable across multiple clients
  • The client can remove/change the access at any time

Cons :

  • Not for Cloud Formation beginners
  • To see the billing, the client need to activate it manually.

Source Code Available Here

Learn more about Switch Roles at https://aws.amazon.com/blogs/security/enable-a-new-feature-in-the-aws-management-console-cross-account-access/.

comments powered by Disqus