SCG-CSO-RSC: Recommended Secure Configuration
- Required: Instructions on how to securely access, configure, operate, and decommission top-level administrative accounts that control enterprise access to the entire cloud service offering.
- Required: Explanations of security-related settings that can be operated only by top-level administrative accounts and their security implications.
- Recommended: Explanations of security-related settings that can be operated only by privileged accounts and their security implications.
Top-Level Administrative Accounts Guidance
Requirement
Providers MUST create and maintain guidance that includes instructions on how to securely access, configure, operate, and decommission top-level administrative accounts that control enterprise access to the entire cloud service offering.
Executive Summary
This comprehensive guidance provides Footprint recommended practices for managing top-level administrative accounts in the Footprint system. A top-level account within Footprint is identified as an account that serves as the central control point for the organization. This guidance provides information on management of top-level accounts including the account itself, secure access and configuration of accounts, management operations, and the decomission process.
Top-Level Administrative Account Types
In the Footprint system the provided top-level administrative role is the SRE role along with the SREEscalation role
Initial Implementation Steps
- Platform Admin will get set up with an IAM user account:
- Upon initiating the onboarding process, the platform administrator of the customer organization will be provided with a temporary Identity and Access Management (IAM) user account.
- This account will be assigned the appropriate permissions and roles required for the platform administrator to perform the initial setup actions to integrate their organization's Single Sign-On (SSO) solution SSO.
- Detailed instructions or a guide will be provided by the Cloud Service Provider (CSP) to assist the platform admin with the setup process.
- Platform Admin configures their Organization SSO to integrate with the Footprint system:
- The platform admin will integrate the organization's Single Sign-On (SSO) solution with Footprint for secure user authentication.
- This may involve:
- Setting up the single sign on connection between the organization's Identity Provider (IdP) and Footprint.
- Configuring various connection attributes such as SAML metadata, trusted certificates, and other authentication parameters.
- Mapping roles, groups, or user attributes between the CSP platform and the organization's directory (e.g., Active Directory or LDAP).
- Testing the SSO connection to ensure it works correctly across the organization. Any failures or troubleshooting related to the SSO setup can be addressed during this phase.
- The CSP can provide detailed documentation or technical support during this configuration to ensure everything is set up correctly as per security and functional requirements.
- Account is deactivated once SSO is set up:
- Once the SSO configuration is successfully established and tested, the temporary IAM user account that was used for initial setup will be deactivated to prevent unauthorized use.
- The platform admin and the customer organization is expected to rely solely on organizational credentials going forward to access the CSP platform through the configured SSO.
Ongoing Operational Steps
- Customer is responsible for managing their access after intial SSO set up:
- The responsibility for creating, assigning, or managing user access within their organization lies solely with the customer.
- The customer is also responsible for maintaining the security of their credentials, addressing internal access requests, and ensuring compliance with their organization's internal policies.
- CSP will retain access at the organizational level, enabling them to assist with troubleshooting and fulfillment of agreed-upon services (e.g., system support, monitoring, or performing essential maintenance).
- This organizational-level access will be limited strictly to what is necessary for the CSP to fulfill their duties, adhering to any data privacy guidelines or agreements established with the customer.
Top-Level Administrative Account Settings and Roles
Requirement
Providers MUST create and maintain guidance that explains security-related settings that can be operated only by top-level administrative accounts and their security implications.
Executive Summary
This guidance provides Footprint recommended practices for security-related settings and operations that require top-level administrative privileges in the Footprint environment. These settings are critical for maintaining the security posture of Footprint accounts and are essential for FedRAMP compliance considerations. These settings should not be delegated to any accounts other than top-level administrators.
SRE Role
| AWS Managed Policies | ReadOnlyAccess, AmazonPersonalizeFullAccess, AmazonConnectFullAccess, AmazonLexFullAccess |
| CloudFormation | Full access (cloudformation:*) |
| S3 | PutObject on all resources |
| AWS Marketplace | Full access (aws-marketplace:*) |
| Lambda | InvokeFunction |
| EC2 | ModifyInstanceAttribute (DENY: ec2:*Tags to prevent bastion access manipulation) |
| Inspector | Full access (inspector:*) |
| Performance Insights | Full access (pi:*) |
| Service Quotas | Full access (servicequotas:*) |
| CloudShell | Full access (cloudshell:*) |
| Route53 | AssociateVPCWithHostedZone |
| Image Builder | StartImagePipelineExecution |
| STS | AssumeRole for CDK roles |
| QuickSight | CreateGroupMembership, CreateGroup, Describe*, Get*, List*, Update Dashboard/Analysis/DataSet permissions |
| DynamoDB | ExportTableToPointInTime |
| AppStream | Stream access |
| CodeArtifact | GetAuthorizationToken, GetServiceBearerToken |
SREEscalation Role
| AWS Managed Policies | AdministratorAccess |
| Full Administrative Access | Complete access to all AWS services and resources with no restrictions |
| Use Case | Emergency escalation role for critical incidents requiring unrestricted access |
Privileged Account Security
Requirement
Providers SHOULD create and maintain guidance that explains security-related settings that can be operated only by privileged accounts and their security implications.
Executive Summary
This guidance provides Footprint practices for managing privileged accounts and security-related settings that require elevated permissions in Footprint environments. Privileged accounts have access to critical Footprint configurations and require enhanced controls, monitoring, and governance to support FedRAMP compliance considerations.
Developer Role
| AWS Managed Policies | AmazonEC2ContainerRegistryPowerUser, AmazonS3ReadOnlyAccess, AmazonDynamoDBReadOnlyAccess, EKSReadOnlyPolicy |
| Athena & Analytics | StartQueryExecution, GetQueryExecution, ListNamedQueries, GetQueryResults |
| S3 Buckets | Communications bucket: ListObjects, GetObject, HeadBucket; Athena query results: Full access |
| CloudFront | GetDistribution, GetDistributionConfig, ListDistributions (Read-only) |
| SWF | List*, Describe*, Count*, Get*, Poll* (Read-only) |
| QuickSight | Describe*, Get*, List*, Search*, StartDashboardSnapshotJob |