AWS User Management
GDS uses Amazon’s cross-account access pattern for accessing many of its AWS accounts. A base account, called gds-users, contains IAM users that can be used to assume roles in other AWS accounts. This provides a single place to manage IAM users, passwords, MFA and access tokens.
Requests to add users to the gds-users account are made via the gds request an aws account app. When someone submits a request the app generates new terraform config and raises a pull request against the aws-user-management-account-users github repo. These pull requests need to be reviewed and merged.
Merged changes are automatically applied by a CodePileline pipeline in the
techops AWS account.
Adding new IAM users to gds-users
People can request a new gds-users user by submitting a request through the gds request an aws account webapp. To be able to use the webapp they must authenticate using Google OAuth from one of a small number of domains.
When someone requests a new gds-users user, the webapp generates new terraform config for the IAM user and raises a pull request against the aws-user-management-account-users repo.
The webapp will also send an email to the gds-aws-account-management Google group to say that a request has been made and linking to the pull request.
The request will usually be dealt with by whoever’s turn it is on the AWS Account Management rota, but can be anyone with the ability to merge PRs on the aws-user-management-account-users repo.
Reviewing a request
When someone requests a new gds-users user, an email is sent to the gds-aws-account-management Google group. This email will include a link to a pull request with the terraform to be added.
You should briefly check the code being added looks right and that it includes
aws_iam_user resource and an addition to the
crossaccountaccess-members IAM group.
You do not need to check that the request is genuine. This is because:
- The user will have authenticated to the webapp using their GDS or Cabinet Office Google account, which we trust
- A gds-users account will not give them access to anything, other than limited IAM permissions to the gds-users AWS account
Once you are happy that the pull request looks okay, you should approve and merge it. The change will be automatically applied by a CodePipeline pipeline (see below).
Checking if a change has been applied
Changes to the terraform that manages resources in the gds-users account are
applied automatically by the
aws-user-mgnt-pipeline CodePipeline in the
techops AWS account. You will obviously need access to the techops account to
inspect it. The list of who has access is controlled
You can view the
aws-user-mgnt-pipeline pipeline by doing:
gds aws techops -l open https://eu-west-2.console.aws.amazon.com/codesuite/codepipeline/pipelines/aws-user-mgnt-pipeline/view?region=eu-west-2
There is an automated process for resetting passwords for gds-users users. Anyone with a gds-users user can request a password reset using the password reset feature of the gds request an account webapp.
These password reset requests follow a similar workflow to the one described
above for adding new users. The webapp will raise a pull request against the
aws-user-management-account-users repo, which will need to be reviewed and, if
reasonable, approved and merged.
Once merged, password resets are processed automatically by a
reset-aws-password-pipeline CodePipeline in the
techops AWS account. You can
view the status of this pipeline by doing:
gds aws techops -l open https://eu-west-2.console.aws.amazon.com/codesuite/codepipeline/pipelines/reset-aws-password-pipeline/view?region=eu-west-2
Resetting MFA on gds-user users
All gds-users users are required to have multi factor auth (MFA) enabled. They will set this when they first get their gds-users user. Occasionally, users lose their MFA device and cannot access the AWS console to reset it without assistance.
By design, there is no automated way to remove or reset MFA on gds-users users and the greatest caution should be exercised when doing so manually to make sure we do not succumb to social engineering attacks.
MFA can only be removed by a small group of admins who can assume
role, which has AdministratorAccess permisisons. The list of these admins can be
If MFA needs to be removed from a gds-users user you must:
- Check the user is who they claim to be by speaking to them in-person or face-to-face on a video call. If you do not know the person, you should ask to see their staff ID
- Notify Cyber Security using an Action Notification on the
- With the user still present, remove their MFA from their gds-users user in the AWS console
- Ask the user to log into gds-users via the console and add a new MFA token
Configuration for the CodePipeline pipelines
The CodePipeline configuration is managed using terraform in the tech-ops-private repo.