Each AWS account has root account credentials, which we don’t use.
Instead we access AWS resources using IAM.
IAM Roles for VMs
IAM Roles for Humans
We have a number of IAM roles intended for operators of the platform to use.
You should always try to use the least privileged role possible. This helps mitigate several risks, such as:
- accidentally performing a destructive action due to a typo (e.g. running
terraform destroy -auto-approveagainst the wrong account)
- compromise of a privileged token leading to a serious security incident
Operator role grants a minimal set of mostly read-only permissions.
Wherever possible this should be the only role we use to interact with non-dev environments. Actions which require higher privileges should usually be done through version controlled changes deployed through our pipelines.
There are some actions which are not deployed through the pipelines for which the operator role is insufficient. For example:
- running AWS account wide terraform (requires Admin)
- performing maintenance on tenant databases (requires Admin)
In these situations it is acceptable to use an Admin role.
Admin role grants full IAM access to an account. It should only be used
in production when the operator role is not sufficient.
Before using the Admin role in a production environment you should think carefully about whether you could make a version controlled change deployed through our pipelines instead of using an ad hoc AWS session.
We manage all these IAM roles, and the corresponding policies using Terraform. The config is in the account-wide-terraform repo. This includes defining who is allowed to assume the above roles.
We use Aiven for our Elasticsearch backing service. We log in to Aiven using the Aiven Console.
We have 4 separate projects:
We use Microsoft Azure to provide single sign-on for some tenants. We log into Azure using the Azure Portal.
We have 4 separate Active Directory apps under the digital.cabinet-office.gov.uk Azure account:
- Staging London
- Prod London
We use Google Cloud for single sign-on. We log into Google using the Google Cloud Console.
We have 2 separate projects under the digital.cabinet-office.gov.uk Azure account:
Our single sign-on apps are managed in