Skip to main content

Accessing AWS accounts

How we access AWS accounts

We have two common methods for accessing AWS accounts:

Single Sign-On access

Using a web browser, an authenticated user can navigate to the SSO landing page and select an AWS account. The portal will allow them to log in to the AWS console with the relevant privileges, or to retrieve an access key and secret key for programmatic access.

Superuser account access

NB. Superuser access is maintained for emergencies. In most use cases SSO access is preferred.

Using a web browser, a user with a superuser account can navigate to the AWS console and log into the Modernisation Platform with their firstname.lastname-superadmin account. From here the user can assume an IAM role to escalate their privileges by clicking the username @ account-id dropdown and selecting Switch Role.

How we use AWS accounts

We make use of our AWS accounts through web browsers, command line tools, and with CI automation. For command line access we prefer to use the tool AWS Vault for the secure storage of credentials and automatic role assumption.

How privileged AWS roles are created

The relevant configuration for superuser accounts is defined in code here and also here.

In brief, a new user would be added to the modernisation-platform-terraform-iam-superadmins project and a new tag would be created. Following this the modernisation-platform-account/iam.tf would be updated to reference this new tag.

The relevant configuration for application accounts is also defined in code with a common module here

This code defines a cross-account access role that can be assumed by an administrator. It is applied as part of a common baseline for application accounts.

References

This page was last reviewed on 22 December 2023. It needs to be reviewed again on 22 June 2024 by the page owner #modernisation-platform .
This page was set to be reviewed before 22 June 2024 by the page owner #modernisation-platform. This might mean the content is out of date.