Overview
This technical procedure outlines how to secure an AWS account that is connected to an Engine Yard (EY) Cloud account. The strategy focuses on:
-
Implementing strict permissions management
-
Enforcing IP-based access restrictions
The procedure includes configuring AWS Service Control Policies (SCPs) and adjusting IAM user roles that the Engine Yard platform relies on to manage AWS resources.
Each of the following sections addresses one of the three IAM users utilized by the Engine Yard platform. This guide assumes the reader is familiar with the AWS IAM Console.
Important:
-
The only IAM users being utilized by Engine Yard are the three ones listed below on this KB article. Any others resembling Engine Yard should be removed.
-
The only policies present for each user are the ones provided through this KB article. Any other policies should be removed.
-
Each of ey_support and ey_instance users have one and only one IAM key active. Any deactivated key found at any time can be removed. The ey_support user does not use IAM keys at all.
In case of any doubts, do contact the EY Support Team.
ey_support
This user grants EY Support staff access to the AWS account for diagnostic purposes and configuration fixes.
As it stands today, the user has full admin permissions in the account. Because of this, access to the AWS account by using it is restricted to connections coming from the company's VPN endpoint.
As of May 2024, the authorized IP is:
52.6.229.154/32To secure the account, copy the content from the attached file `iam_policy-ey_support.json` and add it as an inline policy.
ey_admin
This user enables the Engine Yard Platform to programmatically manage AWS resources via the AWS API.
As it stands today, this user has full admin permissions in the account. Because of this, access to the AWS account through this user and its API is allowed only from IPs belonging to the EY backend
To secure access to this account in this way, copy the content from the attached file `iam_policy-ey_admin.json` and add it as an inline policy.
Validate that the EYC Platform continues to work as expected, relying on CloudTrail or a similar tool to follow up and review the accesses.
ey_instance
This user allows the instances managed by the EY Platform to access the AWS S3 API in order to create files and folders (buckets) on the account. The use cases revolve around downloading custom Chef recipes and managing backups.
As it stands today, this user has several permissions to S3 and the EC2 API in the account. Because the credentials are installed on the instances themselves, the restrictions on usage are focused around the permissions for operations than on source IPs
To secure access to this account in this way, copy the content from the attached file `iam_policy-ey_instance.json` and add it as an inline policy. Also, remove the previous ones about S3, ronin, and security groups, as these policies are no longer used. Validate that the EYC Platform continues to work as expected, relying on CloudTrail or a similar tool to follow up and review the accesses.
Other considerations
For AWS accounts managed by customers, it is highly recommended to enable AWS GuardDuty. This enables:
-
Continuous security monitoring
-
Detection of malicious or unauthorized behavior
-
Enhanced support investigations by EY staff
Aditi Garg
Comments