|
| 1 | +# Secure All-Patterns Deployer Role for GenAI IDP Accelerator |
| 2 | + |
| 3 | +This directory contains the `all-patterns-deployer-role-secure.yaml` CloudFormation template that creates a secure IAM role for deploying, managing and modifying all GenAI IDP Accelerator patterns deployments. |
| 4 | + |
| 5 | +## What This Role Does |
| 6 | + |
| 7 | +The **AllPatternsDeployerRole** provides comprehensive permissions to deploy, update, and manage GenAI IDP Accelerator CloudFormation stacks across all patterns (Pattern 1: BDA, Pattern 2: Textract+Bedrock, Pattern 3: Textract+UDOP+Bedrock). |
| 8 | + |
| 9 | +### Key Capabilities |
| 10 | +- **Full CloudFormation Management**: Create, update, delete IDP stacks |
| 11 | +- **All Pattern Support**: Works with Pattern 1 (BDA), Pattern 2 (Textract+Bedrock), and Pattern 3 (UDOP) |
| 12 | +- **Comprehensive AWS Service Access**: All services required by IDP Accelerator |
| 13 | + |
| 14 | + |
| 15 | +## Security Features |
| 16 | + |
| 17 | +### Region Restrictions |
| 18 | +- **Deployment Regions**: Limited to `us-east-1` and `us-west-2` only |
| 19 | +- **Cross-Region Prevention**: Denies all actions outside approved regions |
| 20 | +- **Same-Region Assumption**: Role can only be assumed in the region where it's deployed |
| 21 | + |
| 22 | +### Session Management |
| 23 | +- **Session Duration**: Maximum 1 hour (3600 seconds) |
| 24 | +- **Forced Re-authentication**: Requires frequent credential refresh |
| 25 | + |
| 26 | +### Access Control |
| 27 | +- **Account-Scoped**: Only IAM entities within the same AWS account can assume the role |
| 28 | +- **Permission-Based**: roles/users need individual `sts:AssumeRole` permissions |
| 29 | +- **CloudFormation Service**: AWS CloudFormation service can also assume the role |
| 30 | + |
| 31 | +## Files in this Directory |
| 32 | + |
| 33 | +- `all-patterns-deployer-role-secure.yaml` - CloudFormation template for the secure IAM role |
| 34 | +- `README.md` - This documentation file |
| 35 | +- `testing-guide.md` - Testing procedures and validation steps |
| 36 | + |
| 37 | +## Parameters |
| 38 | + |
| 39 | +- **MasterStackName**: Name of the master GenAI IDP stack (used in role naming) |
| 40 | +- Must follow CloudFormation stack naming pattern: `^[a-zA-Z][a-zA-Z0-9-]*$` |
| 41 | + |
| 42 | +## Quick Start |
| 43 | + |
| 44 | +1. **Deploy the IAM Role** *(Administrator Required)*: |
| 45 | + ```bash |
| 46 | + aws cloudformation deploy \ |
| 47 | + --template-file all-patterns-deployer-role-secure.yaml \ |
| 48 | + --stack-name idp-deployer-role \ |
| 49 | + --parameter-overrides MasterStackName=my-idp-project \ |
| 50 | + --capabilities CAPABILITY_NAMED_IAM |
| 51 | + ``` |
| 52 | + |
| 53 | +2. **Grant Assumption Permissions** (to your user/role) *(Administrator Required)* : |
| 54 | + ```bash |
| 55 | + # Add this policy to your user/role |
| 56 | + { |
| 57 | + "Effect": "Allow", |
| 58 | + "Action": "sts:AssumeRole", |
| 59 | + "Resource": "arn:aws:iam::ACCOUNT:role/my-idp-project-AllPatterns-Deployer-Secure" |
| 60 | + } |
| 61 | + ``` |
| 62 | + |
| 63 | +3. **Assume the Role**: |
| 64 | + ```bash |
| 65 | + aws sts assume-role \ |
| 66 | + --role-arn arn:aws:iam::123456789012:role/my-idp-project-AllPatterns-Deployer-Secure \ |
| 67 | + --role-session-name idp-deployment |
| 68 | + ``` |
| 69 | + |
| 70 | +4. **Deploy IDP Accelerator**: |
| 71 | + ```bash |
| 72 | + # Export the assumed role credentials first, then: |
| 73 | + aws cloudformation deploy \ |
| 74 | + --template-file ../../template.yaml \ |
| 75 | + --stack-name my-idp-stack \ |
| 76 | + --capabilities CAPABILITY_IAM CAPABILITY_NAMED_IAM |
| 77 | + ``` |
| 78 | + |
| 79 | +## AWS Service Permissions |
| 80 | + |
| 81 | +The role provides comprehensive access to AWS services required by all IDP patterns: |
| 82 | + |
| 83 | +### Core Infrastructure Services |
| 84 | +- **CloudFormation**: `cloudformation:*` - Full stack management |
| 85 | +- **IAM**: Complete role and policy management for IDP components |
| 86 | +- **Lambda**: `lambda:*` - Function creation and management |
| 87 | +- **Step Functions**: `states:*` - State machine orchestration |
| 88 | +- **S3**: `s3:*` - Bucket and object management |
| 89 | +- **DynamoDB**: `dynamodb:*` - Table and data management |
| 90 | +- **SQS**: `sqs:*` - Queue management |
| 91 | +- **EventBridge**: `events:*` - Event rule configuration |
| 92 | +- **KMS**: `kms:*` - Encryption key management |
| 93 | +- **CloudWatch**: `logs:*`, `cloudwatch:*` - Monitoring and logging |
| 94 | + |
| 95 | +### AI/ML Services |
| 96 | +- **Amazon Bedrock**: `bedrock:*` - All foundation models and features |
| 97 | +- **Amazon Textract**: `textract:*` - Document OCR capabilities |
| 98 | +- **Amazon SageMaker**: `sagemaker:*` - Model endpoint management |
| 99 | +- **AWS Glue**: `glue:*` - Data catalog and ETL |
| 100 | +- **OpenSearch Serverless**: `aoss:*` - Vector search capabilities |
| 101 | + |
| 102 | +### Web & API Services |
| 103 | +- **Amazon Cognito**: `cognito-idp:*`, `cognito-identity:*` - Authentication |
| 104 | +- **AWS AppSync**: `appsync:*` - GraphQL API management |
| 105 | +- **CloudFront**: `cloudfront:*` - Content delivery |
| 106 | +- **AWS WAF**: `wafv2:*` - Web application firewall |
| 107 | +- **SNS**: `sns:*` - Notification services |
| 108 | +- **Systems Manager**: `ssm:*` - Parameter management |
| 109 | +- **CodeBuild**: `codebuild:*` - Build automation |
| 110 | + |
| 111 | +### Network & Compute |
| 112 | +- **EC2**: Limited VPC, subnet, and security group management |
| 113 | +- **Application Auto Scaling**: `application-autoscaling:*` |
| 114 | +- **EventBridge Scheduler**: `scheduler:*` |
| 115 | + |
| 116 | +### Additional Permissions |
| 117 | +- **ReadOnlyAccess**: AWS managed policy for read operations |
| 118 | +- **STS**: `sts:AssumeRole` for service integrations |
| 119 | + |
| 120 | +## Security Considerations |
| 121 | + |
| 122 | +### Regional Restrictions |
| 123 | +- **Hard Limit**: All actions denied outside `us-east-1` and `us-west-2` |
| 124 | +- **Deployment Region**: Role assumption restricted to deployment region |
| 125 | +- **Compliance**: Helps meet data residency requirements |
| 126 | + |
| 127 | +### Session Security |
| 128 | +- **Short Sessions**: 1-hour maximum reduces credential exposure |
| 129 | +- **Account Isolation**: Cannot be assumed cross-account |
| 130 | + |
| 131 | +### Permission Scope |
| 132 | +- **Broad Service Access**: Full service permissions for comprehensive IDP deployment |
| 133 | +- **No Resource Restrictions**: Allows flexibility but requires careful usage |
| 134 | +- **Service Trust**: CloudFormation service can assume role for stack operations |
| 135 | +- **Compliance Note**: Organizations may need to refine and make more granular the service action permissions based on their specific security compliance guidelines and least privilege requirements |
| 136 | + |
| 137 | +## Troubleshooting |
| 138 | + |
| 139 | +### Common Issues |
| 140 | + |
| 141 | +1. **Access Denied when Assuming Role**: |
| 142 | + - Verify your user/role has `sts:AssumeRole` permission for this specific role ARN |
| 143 | + - Check you're in the correct AWS region (must match role deployment region) |
| 144 | + - Ensure the role exists and is in the same account |
| 145 | + |
| 146 | +2. **Region Restriction Errors**: |
| 147 | + - All operations must be in `us-east-1` or `us-west-2` |
| 148 | + - Deploy the role in your target deployment region |
| 149 | + - Check AWS CLI region configuration |
| 150 | + |
| 151 | +3. **Session Timeout**: |
| 152 | + - Sessions expire after 1 hour maximum |
| 153 | + - Re-assume the role to get fresh credentials |
| 154 | + - Consider automation for long-running deployments |
| 155 | + |
| 156 | +4. **CloudFormation Deployment Failures**: |
| 157 | + - Ensure you're using `CAPABILITY_IAM` and `CAPABILITY_NAMED_IAM` |
| 158 | + - Check CloudWatch logs for specific service errors |
| 159 | + |
| 160 | +### Getting Help |
| 161 | + |
| 162 | +For additional support: |
| 163 | +1. Review the `testing-guide.md` for validation procedures |
| 164 | +2. Check the main IDP Accelerator documentation |
| 165 | +3. Consult AWS IAM best practices documentation |
| 166 | + |
| 167 | +## Best Practices |
| 168 | + |
| 169 | +1. **Regular Auditing**: Periodically review who has access to assume this role |
| 170 | +2. **Least Privilege**: Only grant this role to users who need to manage IDP stacks |
| 171 | +3. **Session Management**: Use temporary credentials and limit session duration |
| 172 | +4. **Monitoring**: Enable CloudTrail logging for role assumption and usage |
| 173 | +5. **Rotation**: Regularly review and update the role permissions as needed |
0 commit comments