Account Group Advanced Access Control

Account Group Advanced Access Control (AG AAC) is an opt-in (with simple one click opt-out after opting-in) Team setting that allows for AWS Account level user access control.

AG AAC leverages the GorillaStack enterprise feature User Groups to grant specific Users privilege to access particular AWS Accounts in Rules.

AG AAC satisfies the requirements of the typical enterprise Team who wish to delegate individual AWS Account ownership responsibilities to different internal teams while ensuring that no User has the capacity to interact with AWS Accounts outside of thier delegated control.

AG AAC Prerequisites

  1. The User Groups enterprise feature must be enabled for your Team

  2. All Rules must be owned by a User Group

  3. All Rule contexts must only select AWS Account Groups (no 'All AWS Accounts' selection nor explicit AWS account selections allowed)

It is important to note that the AG AAC prerequisites force Users to define a relationship between the User Group owning a Rule and the Account Groups selected within it's context. When enabling AG AAC the relationships between User Groups and AWS Account Groups across all Rules are used to define the initial state of privilege for User Groups.

Enabling AG AAC

  1. After satisfying the prerequisites above, click the Team Menu, then Team Settings

  2. Click Account Group Advanced Access Control toggle to switch it to the Enabled position

  3. Click the Save button

After AG AAC Is Enabled

After AG AAC is enabled you will notice that the Rule form behaves differently to how it did before. What is different:

  1. When creating a new Rule you are forced to first select a User Group

  2. When setting the Rule context you will only be able to select AWS accounts via the AWS Account Groups allowed for your selected User Group

  3. After selecting an allowed AWS Account Group, returning to the Rule overview you will notice a lock symbol next to the User Group selector. If you click the selector you will be given some help text indicating that you are not allowed to change the User Group after setting the account context

Modifying Allowed Account Groups For A User Group

When you wish to either add or remove AWS Account Groups from the allowed AWS Account Groups for a User Group:

  1. Click the Team Menu, then User Management

  2. Click User Groups

  3. Click on the elipsis in the Actions column beside the User Group you wish to modify and click Edit User Group

  4. Use the Allowed Account Groups dropdown selector to add/remove allowed Account Groups

  5. Click Update User Group

You will notice that you cannot remove Account Groups that are currently in use in Rule contexts

Disabling AG AAC

  1. If already enabled, Click the Team Menu, then Team Settings

  2. Click Account Group Advanced Access Control toggle to switch it to the Disabled position

  3. Click the Save button