Security - Ops Automator


When you build systems on AWS infrastructure, security responsibilities are shared between you and AWS. This shared model can reduce your operational burden as AWS operates, manages, and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the services operate. For more information about security on AWS, visit the AWS Cloud Security.

IAM roles

AWS Identity and Access Management (IAM) roles enable customers to assign granular access policies and permissions to services and users on the AWS Cloud. Ops Automator creates an IAM role in the primary account that includes all the required permissions to perform actions on specific resources.

When you launch a role AWS CloudFormation template in a secondary account, the solution creates the applicable IAM role with least-privilege access in the secondary account. This IAM role in the secondary account has a trust policy with the IAM role in the primary account, allowing the primary account to access resources in the secondary account.

Solution-generated roles

Ops Automator automatically creates stacks and IAM roles that can grant additional permissions to the solution’s main AWS Lambda function. To mitigate the risk of unauthorized access to the solution’s main Lambda function and roles, AWS recommends that you deploy the solution in an isolated and tightly controlled management account, and limit access to that account.

To further isolate the solution, AWS recommends that you create a separate IAM role with the following permissions in the primary account:

{ "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1499433973000", "Effect": "Allow", "Action": [ "sns:CreateTopic", "sns:DeleteTopic", "sns:ListTopics", "sns:GetTopicAttributes", "sns:SetTopicAttributes", "iam:CreateRole", "iam:UpdateRole", "iam:DeleteRole", "iam:AttachRolePolicy", "iam:DeleteRolePolicy", "iam:GetRole", "iam:PassRole", "iam:ListRoles", "iam:DetachRolePolicy", "iam:PutRolePolicy", "dynamodb:CreateTable", "dynamodb:UpdateTable", "dynamodb:DeleteTable", "dynamodb:DescribeTable", "events:*", "logs:*", "lambda:*", "s3:CreateBucket", "s3:PutObject", "s3:DeleteBucket", "s3:PutObjectAcl", "s3:ListBucket", "s3:GetObject", "s3:GetLifecycleConfiguration", "s3:PutLifecycleConfiguration", "cloudformation:*" ], "Resource": [ "*" ] } ] }

Use this role to launch the ops-automator AWS CloudFormation template. This restricts unauthorized access to the solution’s AWS Lambda functions and roles.

For secondary accounts, use IAM roles to prevent non-administrators from creating, deleting, or updating tags. AWS recommends you check the access levels created by the solution templates and modify them, if necessary.