Account Group Advanced Access Control (AG AAC) is an opt-in (with simple one click opt-out after opting-in) Team setting that allows for AWS Account level user access control.
AG AAC leverages the GorillaStack enterprise feature User Groups to grant specific Users privilege to access particular AWS Accounts in Rules.
AG AAC satisfies the requirements of the typical enterprise Team who wish to delegate individual AWS Account ownership responsibilities to different internal teams while ensuring that no User has the capacity to interact with AWS Accounts outside of thier delegated control.
The User Groups enterprise feature must be enabled for your Team
All Rules must be owned by a User Group
All Rule contexts must only select either AWS Account Groups or AWS Accounts (no 'All AWS Accounts' selection allowed)
After satisfying the prerequisites above, click the Team Menu, then Team Settings
Click Account Group Advanced Access Control toggle to switch it to the Enabled position
Click the Save button
After AG AAC is enabled you will notice that the Rule form behaves differently to how it did before. What is different:
When creating a new Rule you are forced to first select a User Group
When setting the Rule context you will only be able to select AWS accounts which are included in AWS Account Groups allowed for your selected User Group. Users will also be able to select AWS Account Groups
After selecting an AWS Account or allowed AWS Account Group, returning to the Rule overview you will notice a lock symbol next to the User Group selector. If you click the selector you will be given some help text indicating that you are not allowed to change the User Group after setting the account context
When you wish to either add or remove AWS Account Groups from the allowed AWS Account Groups for a User Group:
Click the Team Menu, then User Management
Click User Groups
Click on the elipsis in the Actions column beside the User Group you wish to modify and click Edit User Group
Use the Allowed Account Groups dropdown selector to add/remove allowed Account Groups
Click Update User Group
If already enabled, Click the Team Menu, then Team Settings
Click Account Group Advanced Access Control toggle to switch it to the Disabled position
Click the Save button