Account Group Advanced Access Control

Account Group Advanced Access Control (AG AAC) is an opt-in (with simple one click opt-out after opting-in) Team setting that allows for AWS Account level user access control.

AG AAC leverages the GorillaStack enterprise feature User Groups to grant specific Users privilege to access particular AWS Accounts in Rules.

AG AAC satisfies the requirements of the typical enterprise Team who wish to delegate individual AWS Account ownership responsibilities to different internal teams while ensuring that no User has the capacity to interact with AWS Accounts outside of thier delegated control.

AG AAC Prerequisites

  1. The User Groups enterprise feature must be enabled for your Team

  2. All Rules must be owned by a User Group

  3. All Rule contexts must only select either AWS Account Groups or AWS Accounts (no 'All AWS Accounts' selection allowed)

It is important to note that the AG AAC prerequisites force Users to define a relationship between a User Group's Rules and the AWS Accounts and Account Groups selected within Contexts. When enabling AG AAC the relationship between User Groups and AWS Account Groups across all Rules are used to define the initial state of privilege for User Groups. At the time of enabling AG AAC a new AWS Account Group will be generated by GorillaStack to include any selected AWS Accounts not already included in a selected AWS Account Group. This generated AWS Account Group will be made an Allowed Account Group, preserving the relationship between a User Group's Rules and the AWS Accounts and Account Groups selected in its Contexts.

Enabling AG AAC

  1. After satisfying the prerequisites above, click the Team Menu, then Team Settings

  2. Click Account Group Advanced Access Control toggle to switch it to the Enabled position

  3. Click the Save button

After AG AAC Is Enabled

After AG AAC is enabled you will notice that the Rule form behaves differently to how it did before. What is different:

  1. When creating a new Rule you are forced to first select a User Group

  2. When setting the Rule context you will only be able to select AWS accounts which are included in AWS Account Groups allowed for your selected User Group. Users will also be able to select AWS Account Groups

  3. After selecting an AWS Account or allowed AWS Account Group, returning to the Rule overview you will notice a lock symbol next to the User Group selector. If you click the selector you will be given some help text indicating that you are not allowed to change the User Group after setting the account context

Modifying Allowed Account Groups For A User Group

When you wish to either add or remove AWS Account Groups from the allowed AWS Account Groups for a User Group:

  1. Click the Team Menu, then User Management

  2. Click User Groups

  3. Click on the elipsis in the Actions column beside the User Group you wish to modify and click Edit User Group

  4. Use the Allowed Account Groups dropdown selector to add/remove allowed Account Groups

  5. Click Update User Group

You will notice that you cannot remove Account Groups that are currently in use in Rule contexts. When updating AWS Account Groups (with AG AAC enabled) you will not be able to remove AWS Accounts that are both selected in Rule Contexts and not included in any other Allowed Account Group.

Disabling AG AAC

  1. If already enabled, Click the Team Menu, then Team Settings

  2. Click Account Group Advanced Access Control toggle to switch it to the Disabled position

  3. Click the Save button