AWS Console Access

New joiners for Cloud platform team will need AWS Console access for most things. IAM resources (users, groups, roles, etc) are managed by terraform so new users are nothing more than new resources in terraform.

Related repositories:

• cloud-platform-infrastructure (/terraform/cloud-platform-account)

• cloud-platform-terraform-awsaccounts-iam

• terraform-aws-iam module

Steps to create/delete users

1) Check the user is in the webops GitHub team, which authorizes access to this AWS account.

2) Create a git branch and add (or delete) the user as terraform code. Do not forget to link the user to a group.

3) Using terraform plan in cloud-platform-infrastructure/terraform/cloud-platform-account/ to verify you’re happy with the terraform changes.

4) Create the PR, ask the team to review it, and merge it.

5) Create a release.

6) In the infrastructure repo, edit the terraform config that calls that module, to use the new release - see example

7) Create the PR, ask the team to review it, and merge it.

8) Apply the changes.

9) Verify the user is created. (You can use AWS Console for this.)

10) Tell them they can login here: https://aws-login.cloud-platform.service.justice.gov.uk

Activating MFA for new users

Unfortunataly terraform can’t activate MFA for users, this process must be done done manually either through AWS Console (UI) or through the AWS CLI.

This page was last reviewed on 6 March 2023. It needs to be reviewed again on 6 June 2023 by the page owner #cloud-platform .

This page was set to be reviewed before 6 June 2023 by the page owner #cloud-platform. This might mean the content is out of date.