IAM
Each AWS account has root account credentials, which we don’t use.
Instead we access AWS resources using IAM.
IAM Roles for VMs
We use IAM roles via intance profiles on our EC2 instances to delegate particular restricted permissions to processes running on those instances.
IAM Roles for Humans
We use separate IAM roles for users on our team to use via AWS’ assume-role feature. See the RE manual for details on how to do this. The available role ARNs that you’ll need for this are documented in paas-aws-account-wide-terrafom here
Role configuration
We manage all these IAM roles, and the corresponding policies using Terraform. The config is in the account-wide-terraform repo. This includes defining who is allowed to assume the above roles.