AWS Cloud Deployment Infrastructure

Owned by Andrew Watkins
Last updated: 22-01-2020
2 min read

Title

AWS Cloud Deployment Infrastructure

Use

Provides Docker Container services (ECS), Container image repository (ECR), Email Services(SES), Storage (S3), Monitoring (CloudWatch), Identity management.

Owner

Operations Manager

Location

AWS Management Console

https://console.aws.amazon.com/console/home

 

Cost

Billed by usage (currently using AWS credits)

Billing

none but billing emails will be sent to

Andrew Watkins andrew@pamfergusson.org.nz

 

 

Access Control

AWS Access control uses a single AWS account and multiple IAM Accounts. All configuration and monitoring must be actioned through an AIM account. Root account is reserved only for account configuration.

Current status of accounts can be obtained via a credential report : https://console.aws.amazon.com/iam/home?#/credential_report

AWS Account - Root User

https://console.aws.amazon.com/iam/home#/security_credentials

AWS account ID: 585172581592

Canonical User ID: 49d36708bd8e37511df16e3fad899a3f5bc54cd55a8f02bc6b4e84c4225a1076

email: see lastpass

password: see lastpass.

2FA - enabled.

arn:aws:iam::585172581592:mfa/root-account-mfa-device - Andrew’s iPhone

TODO: - backup access to root AWS account

IAM Accounts

Each user is added through the IAM access form

https://console.aws.amazon.com/iam/home?region=ap-southeast-2#/users

Users are either people (admins) or Tools ( CI, email etc).

URL: https://585172581592.signin.aws.amazon.com/console

Admin Permissions Process

To be given admin rights you must:

  • Be a technical employee of Voluntarily

  • or be a trusted and experienced, long term contributor we have met in person.

  • have MFA enabled on your IAM account

  • Password policy allows alpha only passphrases but must be 15 chars or more.

     

To allocate a new admin the ‘Software Development Manager’ using the Root Account role will add a new IAM account for the person assigning the required permissions.

Revoking Permissions

Access will be revoked for a person:

  • No longer meeting the above requirements.

  • Not contributing a change to the platform for more than 12 months.

  • Any action causing malicious harm to the project/code base.

  • Any action breaking the code of conduct towards others.

  • Any illegal activity

Auditing Permissions and Changes

Current status of accounts can be obtained via a credential report : https://console.aws.amazon.com

Asset Backup and disaster recovery

All AWS deployments are generated from source code in the GitHub repository using CloudFormation scripts.

Hence the entire system can be removed and rebuilt so long as the database is maintained.

This is exercised as a matter of course as each deployment creates new ECS services and retires existing ones.

Impact of losing access to AWS

The highest risk would be losing access to AWS assets through not paying a bill or breaching terms of service. In this case we would have to rebuild the infrastructure on another Cloud Service Provider or local infrastructure (2-3 weeks).

Backup Process

N/A