kfs_uaerp_user_role.yaml
---

KFS User Role

This CloudFormation template will deploy an IAM role for KFS DevOps staff to access resources in the ua-erp account.

AWSTemplateFormatVersion: '2010-09-09' Description: 'KFS DevOps User Access'

Parameters

These are the input parameters for this template. All of these parameters must be supplied for this template to be deployed.

Parameters:

CloudFormation cannot create IAM Identity Providers, so it must be created before this teplate is run. Pass in the ARN of the created Shibboleth IDP here.

ShibbolethIDP: Description: Name of the SAML Provider Default: UA_Shibboleth_IdP Type: String Resources:

KFS Access Role

The KFS Acces role/policy allows those users access to appropriate resources.

KFSAccess: Type: AWS::IAM::Role Properties: RoleName: shib-KFSAccess AssumeRolePolicyDocument: Statement: - Effect: Allow Principal: Service: - ec2.amazonaws.com Action: - sts:AssumeRole - Effect: Allow Principal: Federated: !Sub "arn:aws:iam::${AWS::AccountId}:saml-provider/${ShibbolethIDP}" Action: sts:AssumeRoleWithSAML Condition: StringEquals: SAML:aud: https://signin.aws.amazon.com/saml KFSAccessGroup: Type: AWS::IAM::Group Properties: Path: "/"

The KFSAccess Policy

KFSAccessPolicy: Type: AWS::IAM::ManagedPolicy Properties: PolicyDocument: Version: '2012-10-17' Statement:

Basic read info

- Effect: Allow Action: - route53:Get* - route53:List* - ec2:Describe* - elasticloadbalancing:Describe* - autoscaling:Describe* - rds:Describe* - rds:ListTagsForResource - s3:List* - ecs:ListClusters - ecr:DescribeRepositories Resource: "*"

Allow Docker registry access

- Effect: Allow Action: - ecr:DescribeImages - ecr:GetDownloadUrlForLayer - ecr:GetRepositoryPolicy - ecr:ListImages Resource: !Sub "arn:aws:ecr:us-west-2:${AWS::AccountId}:repository/kuali/*" Roles: - Ref: KFSAccess Groups: - Ref: KFSAccessGroup

KFSAccess MFA Policy

This policy is only attached to the User Group, so will only apply to IAM users who have been added to the group, and not to SAML users logging in via the Role and Shibboleth.

KFSAccessMFAPolicy: Type: AWS::IAM::ManagedPolicy Properties: PolicyDocument: Version: '2012-10-17' Statement:

Allow ALL IAM actions on any resource, with the exceptions of the IAM actions. Also enforces that the user MUST have MultiFactor authentication set up.

- Effect: Allow NotAction: iam:* Resource: "*" Condition: BoolIfExists: aws:MultiFactorAuthPresent: 'true' Groups: - Ref: KFSAccessGroup

Outputs

Outputs: KFSAccess: Value: !Ref KFSAccess