GRACE IAM provides a basic configuration for AWS Identity and Access Management (IAM) that provides generic roles and groups for general-purpose AWS environments.
- Security Compliance
- Groups, Roles, and Policies
- Repository contents
- Usage
- Terraform Module Inputs
- Terraform Module Outputs
The GRACE IAM subcomponent provides various levels of coverage for several NIST Special Publication 800-53 (Rev. 4) Security Controls. These security controls are designated for FIPS 199 Moderate Impact Systems. Additional information regarding the implementation method utilized can be found within the GRACE Component Control Coverage Repository.
Component ATO status: draft
Relevant controls:
Control | CSP/AWS | HOST/OS | App/DB | How is it implemented? |
---|---|---|---|---|
AC-3 | ╳ | The use of IAM groups, roles, and policies are utilized to enforce logical access to the system and provide permissions to perform specific actions on specific AWS resources and services. | ||
AC-5(a) | ╳ | The use of IAM groups, roles, and policies are utilized to enforce the separation of duties of individuals. | ||
IA-2(1) | ╳ | The require_mfa IAM policy is used to enforce multifactor authentication for privileged users of the information system. | ||
IA-2(3) | ╳ | The require_mfa IAM policy is used to enforce multifactor authentication for privileged users of the information system. | ||
IA-2(11) | ╳ | The require_mfa IAM policy is used in conjunction with virtual MFA devices or authenticator applications such as Google Authenticator. These virtual MFA applications are installed on smartphone devices and are used to provide the secondary factor information for completing authentication. | ||
IA-5(1) | ╳ | The IAM password_policy enforces a minimum password length, complexity, maximum lifetime, reuse parameter, and requires the user to change their initial account setup password upon first login. |
Name | Purpose |
---|---|
full-admin | Allows full administrator access |
require-mfa | Forces multi-factor authentication usage before privileges are granted |
partial-admin | Allows region-restricted administrator access (excluding IAM, Organizations, and sts:AssumeRole) |
iam-admin | Allows administrator access to IAM |
ReadOnlyAccess | Allows read only access to the AWS environment |
Name | Policies |
---|---|
full-admin | full-admin require-mfa |
ops-admin | partial-admin iam-admin require-mfa |
resource-admin | partial-admin require-mfa |
deployer-admin | full-admin |
read-only | ReadOnlyAccess |
Roles are only created if the saml_provider_arn is provided. This is useful if your account uses federation.
Name | Policies |
---|---|
full-admin | full-admin require-mfa |
ops-admin | partial-admin iam-admin require-mfa |
resource-admin | partial-admin require-mfa |
deployer-admin | full-admin |
read-only | ReadOnlyAccess |
- groups.tf contains the AWS IAM group declarations and policy attachments
- iam.tf contains the AWS IAM password management policy declaration
- policies.tf contains the AWS IAM policy declarations and policy documents
- roles.tf contains the AWS IAM role declarations and policy attachments (dependent on the
saml_provider_arn
value) - variables.tf contains all configurable variables
- outputs.tf contains all Terraform output variables
Simply import grace-iam as a module into your Terraform for the destination AWS Environment.
module "iam" {
source = "github.com/GSA/grace-iam?ref=v0.0.1"
}
Name | Description | Type | Default | Required |
---|---|---|---|---|
saml_provider_arn | The AWS Resource Name (ARN) for the Security Assertion Markup Language (SAML) provider | string | "" | no |
allowed_regions | A list of the allowed regions | list | us-east-1, us-west-1 | no |
password_policy_min_length | the number representing the minimum password length | number | 16 | no |
password_policy_require_uppercase | the boolean value indicating whether to require uppercase characters in passwords | bool | true | no |
password_policy_require_lowercase | the boolean value indicating whether to require lowercase characters in passwords | bool | true | no |
password_policy_require_numbers | the boolean value indicating whether to require numbers in passwords | bool | true | no |
password_policy_require_symbols | the boolean value indicating whether to require symbols in passwords | bool | true | no |
password_policy_allow_password_changes | the boolean value indicating whether to allow users to change their passwords | bool | true | no |
password_policy_max_age_days | the number representing the number of days before a password should expire | number | 90 | no |
password_policy_password_history_days | the number representing the number of previous passwords to remember | number | 24 | no |
Name | Description |
---|---|
full_admin_group_arn | The ARN of the full-admin IAM group |
ops_admin_group_arn | The ARN of the ops-admin IAM group |
resource_admin_group_arn | The ARN of the resource-admin IAM group |
deployer_admin_group_arn | The ARN of the deployer-admin IAM group |
read_only_group_arn | The ARN of the read-only IAM group |
full_admin_role_arn | The ARN of the full-admin IAM role (requires saml_provider_arn) |
ops_admin_role_arn | The ARN of the ops-admin IAM role (requires saml_provider_arn) |
resource_admin_role_arn | The ARN of the resource-admin IAM role (requires saml_provider_arn) |
deployer_admin_role_arn | The ARN of the deployer-admin IAM role (requires saml_provider_arn) |
read_only_role_arn | The ARN of the read-only IAM role (requires saml_provider_arn) |
This project is in the worldwide public domain. As stated in CONTRIBUTING:
This project is in the public domain within the United States, and copyright and related rights in the work worldwide are waived through the CC0 1.0 Universal public domain dedication.
All contributions to this project will be released under the CC0 dedication. By submitting a pull request, you are agreeing to comply with this waiver of copyright interest.