3

I'm looking for a service or third party solution that allows for granting temporary access to an IAM user (or group) to one or more services in an AWS account.

The example I have is there is an outage in a production account, and I would like to grant temporary access to developers/sys admins to resolve the issue. Under normal circumstances, they would not have access to this particular service/account.

Ideally, I would like this to me a managed off the shelf solution vs something like STS, which would require quite a bit of configuration. Example, a system outage occurs for unknown reasons in a production account that the on call SRE does not normally have access to. A manager or lead should quickly be able to temporarily escalate privileges for the user until the "firefight" is resolved.

Preston Martin
  • 3,288
  • 4
  • 18
  • 39

2 Answers2

1
  1. Create an IAM role in prod with all the permissions you'd like the devs to have.
  2. When you want devs to have prod access, add the sts:AssumeRole permission to their IAM group.
  3. When it's time to revoke access, remove the sts:AssumeRole permission.

More details in my blog article here.

Glorfindel
  • 169
  • 1
  • 2
  • 12
Harish
  • 311
  • 1
  • 6
0

It would be better to use the official docs as trusted source :) AWS Official Docs

Hakob
  • 359
  • 1
  • 5