Permission Policies in the Reference Architecture

[pete0emerson]

Can you tell me where the permission policies are applied in the code? I’m trying to see what users have access to the secrets manager.

---

Tracked in ticket #109090

[pete0emerson]

In the reference architecture in security/_global/account-baseline/users.yml we can see the users and IAM groups that they belong to.

Looking at security/_global/account-baseline/terragrunt.hcl, we can see that it is sourcing the service catalog (roughly lines 13 and 65-66):

  source = "${local.source_base_url}?ref=v0.82.0"
  ...
  locals {
    source_base_url = "git::[email protected]:gruntwork-io/terraform-aws-service-catalog.git//modules/landingzone/account-baseline-security"

Let's jump over to the service catalog, specifically modules/landingzone/account-baseline-security/main.tf (about line 200):

module "iam_groups" {
  source = "git::[email protected]:gruntwork-io/terraform-aws-security.git//modules/iam-groups?ref=v0.65.8"

So we'll dive down to the module level and take a look at terraform-aws-security/modules/iam-groups/main.tf:

The groups are defined here, for example, the full_access group on line 52:

# ----------------------------------------------------------------------------------------------------------------------
# CREATE IAM GROUP - FULL ACCESS
# Full Access users have full access to all AWS Resources.
# ----------------------------------------------------------------------------------------------------------------------

resource "aws_iam_group" "full_access" {
  count = var.should_create_iam_group_full_access && var.create_resources ? 1 : 0
  name  = var.iam_group_name_full_access
}

# Enable administrator users to have access to everything
resource "aws_iam_group_policy" "full_access" {
  count  = var.should_create_iam_group_full_access && var.create_resources ? 1 : 0
  name   = "full-access"
  group  = aws_iam_group.full_access[0].id
  policy = module.iam_policies.full_access
}

# Full-access users should also be able to manage their own IAM User accounts (without MFA), so attach the "iam-user-self-mgmt" IAM Policy.
resource "aws_iam_group_policy_attachment" "full_access_iam_user_self_mgmt" {
  count      = var.should_create_iam_group_full_access && var.create_resources ? 1 : 0
  group      = aws_iam_group.full_access[0].name
  policy_arn = aws_iam_policy.iam_user_self_mgmt[0].arn
}

The policies are defined on line 35:

module "iam_policies" {
  source = "../iam-policies"

Note that this is loading another module, iam-policies. In this module we see the policy documents that then get attached and used, for example:

data "aws_iam_policy_document" "full_access" {
  statement {
    sid       = "fullAccess"
    actions   = ["*"]
    resources = ["*"]
    effect    = "Allow"
...

Note that there are no references specifically to any secretsmanager:* resources, and Secrets Manager is not called out in the read_only policy. The full_access policy has blanket permissions.

If you want to create your own policies, you can do that with the custom-iam-entity module.