Account Group Advanced Access Control (AG AAC) is an opt-in (with simple one click opt-out after opting-in) Team setting that allows for AWS Account level user access control.
AG AAC leverages the GorillaStack enterprise feature User Groups to grant specific Users privilege to access particular AWS Accounts in Rules.
AG AAC satisfies the requirements of the typical enterprise Team who wish to delegate individual AWS Account ownership responsibilities to different internal teams while ensuring that no User has the capacity to interact with AWS Accounts outside of their delegated control.
The User Groups enterprise feature must be enabled for your Team
All Rules must be owned by a User Group
All Rule contexts must only select either AWS Account Groups or AWS Accounts (no 'All AWS Accounts' selection allowed)
After satisfying the prerequisites above, click the Team Menu, then Team Settings
Click Account Group Advanced Access Control toggle to switch it to the Enabled position
Click the Save button
After AG AAC is enabled you will notice that the Rule form behaves differently to how it did before. What is different:
When creating a new Rule you are forced to first select a User Group
When setting the Rule context you will only be able to select AWS accounts which are included in AWS Account Groups allowed for your selected User Group. Users will also be able to select AWS Account Groups
After selecting an AWS Account or allowed AWS Account Group, returning to the Rule overview you will notice a lock symbol next to the User Group selector. If you click the selector you will be given some help text indicating that you are not allowed to change the User Group after setting the account context
When you wish to either add or remove AWS Account Groups from the allowed AWS Account Groups for a User Group:
Click the Team Menu, then User Management
Click User Groups
Click on the elipsis in the Actions column beside the User Group you wish to modify and click Edit User Group
Use the Allowed Account Groups dropdown selector to add/remove allowed Account Groups
Click Update User Group
If already enabled, Click the Team Menu, then Team Settings
Click Account Group Advanced Access Control toggle to switch it to the Disabled position
Click the Save button
Typically an organization will task one or many employees with the responsibility to act as administrators for their GorillaStack Team. These administrator users are typically assigned roles within GorillaStack granting full privilege, enabling access to control all GorillaStack entities within the Team. When AG AAC is enabled there are some extra considerations that need to be made in order to control all AWS Account Groups and Rules.
When AG AAC is enabled, follow these guidelines to ensure your administrator users have full access to all GorillaStack entities:
Keep in mind that Rules owned by User Groups are only visible to the owning User Group's members. By including administrator Users in all User Groups you ensure administrators have full visibility across all Rules.
The purpose of this administrator User Group is clear when we consider how AWS Account Group access control decisions are made when AG AAC is enabled.
Access to an AWS Account Group:
The administrator User Group should include all AWS Account Groups as Allowed Account Groups, ensuring Administrators have full access to all AWS Account Groups.