Limiting production stage access


I was just about to try to figure this out, and I wanted to check if anyone had designed a way to limit the updating and deletion of a specific production stage.

I suspect that, after the initial stage creation, I could manually alter the default IAM role for developers to not allow access to all of the specific resources defined by our production stages. Then, I could create a separate role that allows access to the resources, and I could assign that role on an as-needed basis to the developer entrusted with updating the production stage. This would also protect from folks logged into the console from accidentally or maliciously deleting resources related to the production stage. What I’m concerned about is the effort involved in doing this manually - I wanted to make sure I wasn’t overlooking a more automated approach people were doing.

Thanks in advance for any advice you might be able to give!

This is the reason not to use stages - if it’s in the same account then it’s likely users could get access to the “wrong” stage. Especially since the Framework requires IAM access, which can be exploited to escalate privileges.

If you want to ensure your production deployment is protected, you need to use a separate account and role/user to manage it. This follows standard AWS practices to limit blast-radius, etc.

1 Like

Yeah, I see your logic @rowanu … I’ve never looked into how AWS feels
about a second corporate account, but I could do that & find out the
details. Then I suppose the team responsible for pushing to release would
have two certificates on their computer, one for the development corporate
account login and one for the production corporate account login. Thanks
for the idea. :slight_smile: