Account Group Advanced Access Control
Account Group Advanced Access Control (AG AAC) is an opt-in (with simple one click opt-out after opting-in) Team setting that allows for AWS Account level user access control.
AG AAC leverages the GorillaStack enterprise feature User Groups to grant specific Users privilege to access particular AWS Accounts in Rules.
AG AAC satisfies the requirements of the typical enterprise Team who wish to delegate individual AWS Account ownership responsibilities to different internal teams while ensuring that no User has the capacity to interact with AWS Accounts outside of their delegated control.
AG AAC Prerequisites
- The User Groups enterprise feature must be enabled for your Team
- All Rules must be owned by a User Group
- All Rule contexts must only select either AWS Account Groups or AWS Accounts (no 'All AWS Accounts' selection allowed)
It is important to note that the AG AAC prerequisites force Users to define a relationship between a User Group's Rules and the AWS Accounts and Account Groups selected within Contexts. When enabling AG AAC the relationship between User Groups and AWS Account Groups across all Rules are used to define the initial state of privilege for User Groups. At the time of enabling AG AAC a new AWS Account Group will be generated by GorillaStack to include any selected AWS Accounts not already included in a selected AWS Account Group. This generated AWS Account Group will be made an Allowed Account Group, preserving the relationship between a User Group's Rules and the AWS Accounts and Account Groups selected in its Contexts.
Enabling AG AAC
- After satisfying the prerequisites above, click the Team Menu, then Team Settings
- Click Account Group Advanced Access Control toggle to switch it to the Enabled position
- Click the Save button
After AG AAC Is Enabled
After AG AAC is enabled you will notice that the Rule form behaves differently to how it did before. What is different:
- When creating a new Rule you are forced to first select a User Group
- When setting the Rule context you will only be able to select AWS accounts which are included in AWS Account Groups allowed for your selected User Group. Users will also be able to select AWS Account Groups
- After selecting an AWS Account or allowed AWS Account Group, returning to the Rule overview you will notice a lock symbol next to the User Group selector. If you click the selector you will be given some help text indicating that you are not allowed to change the User Group after setting the account context
Modifying Allowed Account Groups For A User Group
When you wish to either add or remove AWS Account Groups from the allowed AWS Account Groups for a User Group:
- Click the Team Menu, then User Management
- Click User Groups
- Click on the elipsis in the Actions column beside the User Group you wish to modify and click Edit User Group
- Use the Allowed Account Groups dropdown selector to add/remove allowed Account Groups
- Click Update User Group
You will notice that you cannot remove Account Groups that are currently in use in Rule contexts. When updating AWS Account Groups (with AG AAC enabled) you will not be able to remove AWS Accounts that are both selected in Rule Contexts and not included in any other Allowed Account Group.
Disabling AG AAC
- If already enabled, Click the Team Menu, then Team Settings
- Click Account Group Advanced Access Control toggle to switch it to the Disabled position
- Click the Save button
Best Practices for AG AAC
Typically an organization will task one or many employees with the responsibility to act as administrators for their GorillaStack Team. These administrator users are typically assigned roles within GorillaStack granting full privilege, enabling access to control all GorillaStack entities within the Team. When AG AAC is enabled there are some extra considerations that need to be made in order to control all AWS Account Groups and Rules.
When AG AAC is enabled, follow these guidelines to ensure your administrator users have full access to all GorillaStack entities:
Administrator Users should be included as members of all User Groups
Keep in mind that Rules owned by User Groups are only visible to the owning User Group's members. By including administrator Users in all User Groups you ensure administrators have full visibility across all Rules.
Maintain a User Group dedicated for only administrator Users
The purpose of this administrator User Group is clear when we consider how AWS Account Group access control decisions are made when AG AAC is enabled.
Access to an AWS Account Group:
- not referenced as an Allowed Account Group in any User Group is determined by the role a user is assigned at the Team level
- referenced only in User Groups a User is not a member of will be completely restricted
- referenced in one or many User Groups a User is a member of will be governed at the maximal level of privilege granted by a role in related member User Groups
The administrator User Group should include all AWS Account Groups as Allowed Account Groups, ensuring Administrators have full access to all AWS Account Groups.