Title | AWS Cloud Deployment Infrastructure |
---|---|
Use | Provides Docker Container services (ECS), Container image repository (ECR), Email Services(SES), Storage (S3), Monitoring (CloudWatch), Identify management. |
Owner | Operations Manager |
Location | AWS Management Console |
Cost | Billed by usage (currently using AWS credits) |
Billing | none but billing emails will be sent to Andrew Watkins andrew@pamfergusson.org.nz |
Access Control
AWS Access control uses a single AWS account and multiple IAM Accounts. All configuration and monitoring must be actioned through an AIM account. Root account is reserved only for account configuration.
Current status of accounts can be obtained via a credential report : https://console.aws.amazon.com/iam/home?#/credential_report
AWS Account - Root User
https://console.aws.amazon.com/iam/home#/security_credentials
AWS account ID: 585172581592
Canonical User ID: 49d36708bd8e37511df16e3fad899a3f5bc54cd55a8f02bc6b4e84c4225a1076
email: see lastpass
password: see lastpass.
2FA - enabled.
arn:aws:iam::585172581592:mfa/root-account-mfa-device - Andrew’s iPhone
TODO: - backup access to root AWS account
IAM Accounts
Each user is added through the IAM access form
https://console.aws.amazon.com/iam/home?region=ap-southeast-2#/users
Users are either people (admins) or Tools ( CI, email etc).
URL: https://585172581592.signin.aws.amazon.com/console
Admin Permissions Process
To be given admin rights you must:
Be a technical employee of Voluntarily
or be a trusted and experienced, long term contributor we have met in person.
have MFA enabled on your IAM account
Password policy allows alpha only passphrases but must be 15 chars or more.
To allocate a new admin the ‘Software Development Manager’ using the Root Account role will add a new IAM account for the person assigning the required permissions.
Revoking Permissions
Access will be revoked for a person:
No longer meeting the above requirements.
Not contributing a change to the platform for more than 12 months.
Any action causing malicious harm to the project/code base.
Any action breaking the code of conduct towards others.
Any illegal activity
Auditing Permissions and Changes
Current status of accounts can be obtained via a credential report : https://console.aws.amazon.com
Asset Backup and disaster recovery
All AWS deployments are generated from source code in the GitHub repository using CloudFormation scripts.
Hence the entire system can be removed and rebuilt so long as the database is maintained.
This is exercised as a matter of course as each deployment creates new ECS services and retires existing ones.
Impact of losing access to AWS
The highest risk would be losing access to AWS assets through not paying a bill or breaching terms of service. In this case we would have to rebuild the infrastructure on another Cloud Service Provider or local infrastructure (2-3 weeks).
Backup Process
N/A
Add Comment