Skip to main content
Skip table of contents

AWS Essentials Configuration

Below overview summarizes what configuration is deployed on the master and linked accounts.

 

Master Account

Linked Account

description

Federated access

CloudFormation

X

X*

all resources are deployed using CloudFormation Stacks and StackSets

IAM SAML Provider

X

 

for SAML2.0 federated access used by Swo engineers

IAM OpenID Provider

X

X

For providing service programmatic access.

Example: SWO Billing Engine will authenticate and authorize using OpenID

IAM roles for SAML provider

  • SWOAdminRole

  • SWOReadOnlyRole

  • SWOBillingRole

  • SWOSupportRole

X

 

Roles are to be assumed by SWO engineers only via the IAM SAML provider

Example:

AAD → SAML Provider (master account) → SWOAdminRole (master account)

Brief description of deployed roles:

  • SWOAdminRole – with AWS-managed AdministratorAccess IAM policy attached

    • This role can be assumed by users who are members of dedicated SWO AD group

  • SWOBillingRole – with AWS-managed Billing and SupportUser IAM policy attached

    • This role can be assumed by users who are members of dedicated SWO AD group

  • SWOReadOnlyRole – with AWS-managed ReadOnlyAccesss IAM policy attached

    • This role can be assumed by users who are members of dedicated SWO AD group

  • SWOSupportRole – with AWS-managed SupportUser IAM policy attached

    • This role can be assumed by users who are members of dedicated SWO AD group

Cross account IAM roles

  • SWOAdminRole

  • SWOReadOnlyRole

  • SWOBillingRole

  • SWOSupportRole

 

X*

*deployed only where Swo provides support

roles to be assumed only from corresponding roles from master (management) account in the same AWS Organization

Example:

AAD → SAML Provider (master account) → SWOAdminRole (master account) → SWOAdminRole (linked account)

  • SWOAdminRole – with AWS-managed AdministratorAccess IAM policy attached

    • This role can be assumed from SWOAdminRole in the master (management) account

  • SWOBillingRole – with AWS-managed Billing and SupportUser IAM policy attached

    • This role can be assumed from SWOBillingRole in the master (management) account

  • SWOReadOnlyRole – with AWS-managed ReadOnlyAccesss IAM policy attached

    • This role can be assumed from SWOReadOnlyRole in the master (management) account

  • SWOSupportRole – with AWS-managed SupportUser IAM policy attached

    • This role can be assumed from SWOSupportRole in master (management) account

IAM roles for OpenID

  • SWOOpenIDCAssumeBillingOnlyRole

  • SWOOpenIDCAssumeCDERole

X

X

optional

Roles assumed by services for programmatic access like the billing engine

IAM user

  • SWOAzureAdAutomationUser

    • credentials of this user are stored in AWS Secrets Manager

X

 

Service user used by Azure Lighthouse to establish SAML Federation

AWS Secrets Manager

  • SWOAzureAdFederationSecret

X

 

Used to securely store credentials used for SAML federation

Lambda Functions

  • SWOAzureAdMetadataLambda

  • SWOReturnCredentialsToAzureLambda

X

 

Functions automate the deployment and configuration of federated access between AWS and Swo AAD

Parameters stored in SSM Parameters store

  • SWOCustomerName

  • SWOCustomerSCU

  • OrganizationUnitSsmParameter

  • LighthouseSAMLFederationVersion

  • LighthouseOpenIDFederationVersion

X

 

Parameters required as configuration for CloudFormation and/or Lambda Functions

Guardrails

CloudFormation

X

X*

All resources are deployed using CloudFormation Stacks and optionally Stacksets

Service Control Policies (SCP)

  • SWORestrictAccessToBillingPortalScp

  • SWORestrictAccessToSupportPortalScp

    • this is conditionally deployed for PLES customers

  • SWODenyAccessToModifySWORolesAndPoliciesScp

  • SWODenyAccessToModifySWORolesOrPoliciesScpV2

  • SWODenyLeaveOrganisationScp

X

 

Service Control Policies put boundaries on permissions in all Linked Accounts in the AWS Organisation

IAM Permissions Boundary

  • SWOMasterPermissionsBoundary

X

 

This Permissions Boundary is used to apply restrictions to all IAM principals (IAM users and IAM roles) with the exclusion of SWO IAM Roles. Its purpose is to protect SWO resources deployed in the master (management) account

Lambda Functions

  • SWOScpDeployLambdaFunction

  • SWOApplyPermissionsBoundaryLambda

  • SWOBudgetSADLambda*

  • SWOBudgetSADLambdaRunner*

X

X*

optional

Functions automate the deployment and configuration of Service Control Policies and Permissions Boundary in the master (management) account.

SAD lambda and lambda runner automate the Budget threshold editing.

CloudTrail

  • SWOManagementEventsTrail

X

 

CloudTrail used to log all API calls in the master (management) account. It’s presence is required by SOW EventBridge rules.

To record events with a detail-type value of AWS API Call via CloudTrail, a CloudTrail trail with logging enabled is required.

Events from AWS services - Amazon EventBridge

Cost And Usage Report

X

 

A CUR report stored in S3 bucket for billing purposes

AWS Budget

  • SWOSpendAnomalyBudget

 

 

 

S3 Buckets

  • Cloudtrail S3 Bucket

    • Default lifecycle rule for all objects:

      • 30 days transition to Standard IA

      • 90 days expire

  • Cost and Usage Reports S3 Bucket

    • Default lifecycle rule for all objects:

      • 30 days transition to Standard IA

      • 365 days expire

X

 

S3 buckets used to store critical logging and billing information

EventBridge Rules

  • SWOLinkedAccountCreationEventRule

  • SWOSnsModificationEventRule

  • SWOIamRoleModificationEventRule

  • SWOIamPolicyModificationEventRule

  • SWOScpModificationEventRule

  • SWORootAccountActivityEventRule

  • SWOCloudTrailModificationEventRule

  • SWOLambdaModificationEventRule

  • SWOUserOrRoleCreationEventRule*

  • SWOSADLambdaTriggerEventRule**

X

X**

optional

Set of detective EventBridge rules to notify about SWO resources modification. The notifications are sent via respective SNS Topics to all configures subscriptions. SWO is notified about:

  • Root login detection

  • SWO IAM Roles modification

  • SWO IAM Policies modification

  • SWO SNS Topics modification

  • SWO Service Control Policies

  • SWO Lambda functions modification

  • SWO CloudTrail modification (including "Stop/Start logging")

  • New Linked account creation

*SWOUserOrRoleCreationRule - this rule is used to trigger Permissions Boundary deployment on any newly created user or role

SNS Topics

  • SWOLinkedAccountCreationSnsTopic

  • SWOEventNotificationsSnsTopic

  • SWOSNSTopicSAD*

X

X*

optional

SNS Topics used by EventBridge rules to send notifications about defined events.

 

IAM Roles & Policies

  • SWOBudgetSADFnExecutionRole

  • SWOBudgetSADPolicy

  • SWOCrossAccountSQSWriteSADPolicy

  • SWOSNSTopicBudgetPolicy

  • SnsLambdaPermission

  • SWOSADLambdaTriggerEventRulePermission

X

X

optional

Permissions for integrating alarms from Budget with event management SQS.

 

SSM Parameters

  • SimpleVersionParameter

X

 

 

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close