AWS Account Access¶
Archived (pre-2022)
Preserved for reference only -- likely outdated. View original | Last updated: January 2021
Overview¶
Fyber N.V disposes multiple AWS accounts across different teams and product pipelines. Accounts are managed by ADFS installed by Office IT. Any user who is assigned to a given AWS account should use his/her AD credentials.
The next diagram illustrates how access to AWS dashboard can be performed:
AWS-ADFS Accounts¶
Access to AWS resources is specified by ADFS Group which reflects its correspondent Role in AWS.
Roles capabilities¶
Different AWS groups AD mapped exist per AWS environment:
- ADFS-ENV-ADMIN: ADMIN role account
| Who is there | AWS Services Permissions | User/Key_Pairs Mgmt | Billing Mgmt |
|---|---|---|---|
| IT-Ops (Core) | Services Full Access |
- ADFS-ENV-SITEOPS: SITEOPS role account
| Who is there | AWS Services Permissions | User/Key_Pairs Mgmt | Billing Mgmt |
|---|---|---|---|
| Site-Ops | Services Full Access |
- ADFS-ENV-DEV: DEV role account
| Who is there | AWS Services Permissions | User/Key_Pairs Mgmt | Billing Mgmt |
|---|---|---|---|
| Squads/Devs | Services Full Access |
- ADFS-ENV-SEC: SEC role account
| Who is there | AWS Services Permissions | User/Key_Pairs Mgmt | Billing Mgmt |
|---|---|---|---|
| Security | Read Only Access |
5. ADFS-ENV-MGMT: MGMT role account
| Who is there | AWS Services Permissions | User/Key_Pairs Mgmt | Billing Mgmt |
|---|---|---|---|
| Management | Services Full Access |
Where ENV can be: PROD or STG or ENG
SAML configuration setup¶
The consolidation Account user management in AWS is intended to use one single access point to manage users ONLY registered in Active Directory. The setup is using SSO (Single Sign On) functionality supported by AWS in each account.
The SAML provider uses the following AWS ARN string: arn:aws:iam::ACCOUNT_ID:saml-provider/ADFS
Where ACCOUNT_ID is the ID of each AWS linked and consolidated AWS account.
The current AWS accounts within Fyber N.V Organisation are registered by SAML and mapped to Active Directory as the following:
| Account Name | Account ID | ADFS | Contact | root acount MFA | IAM Users | Root MFA | Federated Name | LastPass name | Authy name | Product Line | Status | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Fyber NV (Master) | 779541029934 | - | Authy | Fyber NV | aws.fyber-nv@fyber.com | AWS Fyber NV consolidated root | Amazon Web Services:root-account@fyber-nv | Root account | ||||
| prod-it-ops | 399422659513 | Authy | DevOps BLN team | prod-it-ops | hostmaster@sponsorpay.com | Amazon AWS | root-account-mfa-device@prod-it-ops | Legacy OFW | only one old instance left - ci.fyber.com | |||
| prd-fyber | 767648288756 | Authy | DevOps BLN team | prd-fyber | aws.tracker@fyber.com | AWS Tracker master | root-aws@prd-fyber | OFW, UA | Used | |||
| stg-fyber | 399797994004 | Authy | DevOps BLN team | stg-fyber | aws-hellocloud@fyber.com | AWS Tracker STaging | root-account-mfa-device@stg-fyber | OFW, UA | Used | |||
| research-development | 751747988410 | Authy | DevOps BLN team | Fyber Engineering | eng.aws@fyber.com | Fyber Engineering | Amazon Web Services: eng.aws@fyber.com | Unused | ||||
| business-intelligence | 438700835019 | Authy | DevOps BLN team | Business Intelligence | aws.bi@fyber.com | AWS - BI | aws.bi@fyber.com | Unused | ||||
| Training Admin | 390237625985 | Authy | XXX | aws.training@fyber.com | amazon.com | aws.training@fyb@390237265985 | Unused | |||||
| Security STG | 763734646817 | Authy | DevOps BLN team | Security - STG | aws.sec@fyber.com | AWS Security - STG | AWS:root-account@security-staging | Unused | ||||
| Office IT | 862975725731 | Authy | Office IT | aws.oit@fyber.com | AWS for OIT | AWS:OIT-root-account-mfa-device@862975725731 | Office IT | Used | ||||
| qa-fyber | 642716723282 | Authy | DevOps BLN team | qa-fyber | aws.prd@fyber.com | AWS PRD | root-aws.prd.mail@qa-fyber | Unused | ||||
| RTB STG | 451181776686 | - | Silvestre Abruzzo | RTB Team DevOps BLN team | Henrik Basten | aws-dev@falktec.com | AWS RTB Staging root | AWS@fyber-rtb-staging | Unused | |||
| Heyzap | 985205117128 | - | Christopher Zutler | aws.heyzap-prod@fyber.com | ? | |||||||
| RTB PRD | 197992572051 | - | Silvestre Abruzzo | RTB Team DevOps BLN team | Henrik Basten | aws-aunia@falktec.com | AWS RTB Production root | AWS@fyber-rtb-prod | Unused | |||
| Inn Dev | 931733775016 | - | Inn Team | aws_dev | aws.inn-dev@fyber.com | Marketplace | ||||||
| Inn STG | 747288866571 | - | Inn Team | aws_staging | aws.inn-staging@fyber.com | Marketplace | ||||||
| Inn PRD | 003250186609 | - | Inn Team, Berlin Team | Inneractive USA, INC. | aws.inn-prod@fyber.com | Marketplace, FairBid | Used | |||||
| ~~Inn External~~ | ~~136403196126~~ | ~~-~~ | ~~Inn Team~~ | ~~aws_external~~ | ~~aws.inn-external@fyber.com~~ | |||||||
| Inn QA | 311878954612 | - | Inn Team | aws_qa | aws.inn-qa@fyber.com | |||||||
| ~~Inn 360~~ | ~~537374711774~~ | ~~-~~ | ~~Inn Team~~ | ~~aws_360~~ | ~~aws_360@inner-active.com~~ |
XML Metadata for SAML provider:
Accessing AWS dashboard¶
As mentioned previously, an authorised user can access AWS dashboard by following the next link: Adfs - Idpinitiatedsignon.Aspx
Pick up AWS from the drop down list from the SSO dashboard:
Enter the personal AD credentials provided by Office-IT:
Once logged in, a new web page will visualise only the group that a user belongs to. The next example illustrates a user which is part of ADFS ADMIN and TEST groups mapped to two different AWS accounts respectively:
Once signed in, it is possible to check from the AWS dashboard the Mapped account USERNAME-AWSACCOUNT as shown the following example:
