Support access to AWS
When you open a technical support request with DoiT, we may occasionally need access to your AWS accounts to help you effectively. DoiT provides complete transparency when accessing your Amazon Web Services (AWS) accounts.
Key points
-
We leverage the AWS user federation broker mechanism for temporary read-only access to your environments.
-
We only access your AWS accounts to provide technical support per our contractual obligations. We never access your AWS accounts for any other reason.
-
Support engineers do not have write access to your AWS accounts. The only exception is that we are able to raise AWS support cases and request service quota increases on your behalf.
-
-
Access logs retention to your environments on our platform is 30 days. You can use AWS CloudTrail for a complete log of every action that we perform on your accounts.
-
We establish the access trust domain perimeter through cryptographic means at the code level to ensure that only DoiT has access to your environments from well-known and secure entrypoints.
Grant access
To grant federated access to DoiT support engineers, you must configure the following resources on each of your AWS accounts:
-
Two AWS IAM Identity providers to federate DoiT-managed identities.
-
One AWS IAM support role named
DoiT-Support-Gatewayto allow access from the identities mentioned above.
As these resources are global, you may install them in any AWS region.
Required permissions
To create the aforementioned technical prerequisites, you must log in with an IAM user or assume an IAM role that has at least the IAM permissions defined in the IAM policy below:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:CreateRole",
"iam:DeleteRole",
"iam:GetRole",
"iam:ListRoles",
"iam:UpdateRole",
"iam:TagRole",
"iam:UntagRole",
"iam:CreateOpenIDConnectProvider",
"iam:UpdateOpenIDConnectProviderThumbprint",
"iam:GetOpenIDConnectProvider",
"iam:ListAttachedRolePolicies",
"iam:ListOpenIDConnectProviders",
"iam:AttachRolePolicy",
"iam:DetachRolePolicy",
"iam:PutRolePolicy",
"iam:GetRolePolicy",
"iam:ListRolePolicies",
"iam:DeleteRolePolicy",
"iam:UpdateAssumeRolePolicy"
],
"Resource": [
"arn:aws:iam::CUSTOMER_AWS_ACCOUNT_ID:role/*",
"arn:aws:iam::CUSTOMER_AWS_ACCOUNT_ID:oidc-provider/*"
]
}
]
}
Resource creation
You must create the required resources on each of your AWS accounts.
We recommend that you create the resources through our AWS Cloud Formation provided quick-create link.
Alternatively, you can manually create the resources using one of the following methods.
- AWS Cloud Formation Stack
- AWS Cloud Formation Stack Template
- Terraform
- AWS CLI
Follow the step-by-step AWS Cloud Formation Stack creation instructions, and on the final screen, acknowledge the Named IAM resources warning.
Apart from the parameter provided for optional capabilities, please check the next section Optional Capabilities, don't change the provided values during the step-by-step process, or the process may fail.
locals {
// Replace with your AWS account ID
aws_customer_account_id = "CUSTOMER_AWS_ACCOUNT_ID"
}
resource "aws_iam_openid_connect_provider" "doit1" {
client_id_list = [local.aws_customer_account_id]
thumbprint_list = ["15c2b40aa2f322798666a6b332aaa03a6773019b", "08745487e891c19e3078c1f2a07e452950ef36f6"]
url = "https://support.cre.doit-intl.com"
tags = {
"doit:support" = "true"
}
}
resource "aws_iam_openid_connect_provider" "doit2" {
client_id_list = ["doit-support"]
thumbprint_list = ["08745487e891c19e3078c1f2a07e452950ef36f6"]
url = "https://securetoken.google.com/doit-support"
tags = {
"doit:support" = "true"
}
}
resource "aws_iam_role" "doit_support_gateway" {
name = "DoiT-Support-Gateway"
inline_policy {
name = "inline"
policy = jsonencode(
{
Version= "2012-10-17"
Statement = [
{
Effect = "Allow"
Action = [
"airflow:GetEnvironment",
"airflow:List*",
"amplify:Get*",
"amplify:List*",
"backup:Describe*",
"backup:Get*",
"backup:List*",
"ce:Get*",
"ce:List*",
"ce:Describe*",
"compute-optimizer:Get*",
"compute-optimizer:Describe*",
"eks:AccessKubernetesApi",
"eks:List*",
"mobiletargeting:List*",
"redshift-serverless:List*",
"s3:GetStorageLens*",
"s3:ListStorageLens*",
"servicequotas:Get*",
"servicequotas:List*",
"servicequotas:RequestServiceQuotaIncrease",
"workspaces:List*"
]
Resource = "*"
}
]
})
}
managed_policy_arns = toset([
"arn:aws:iam::aws:policy/AmazonRDSPerformanceInsightsReadOnly",
"arn:aws:iam::aws:policy/AmazonWorkSpacesWebReadOnly",
"arn:aws:iam::aws:policy/AmazonSESReadOnlyAccess",
"arn:aws:iam::aws:policy/AWSCloudShellFullAccess",
"arn:aws:iam::aws:policy/AWSSupportAccess",
"arn:aws:iam::aws:policy/AWSBillingReadOnlyAccess",
"arn:aws:iam::aws:policy/CloudWatchReadOnlyAccess",
"arn:aws:iam::aws:policy/SecurityAudit",
"arn:aws:iam::aws:policy/job-function/ViewOnlyAccess",
])
max_session_duration = 21600
assume_role_policy = jsonencode(
{
Version = "2012-10-17"
Statement = [
{
Effect = "Allow",
Action = [
"sts:AssumeRoleWithWebIdentity",
"sts:TagSession"
]
Principal = {
Federated = [
"arn:aws:iam::${local.aws_customer_account_id}:oidc-provider/support.cre.doit-intl.com",
"arn:aws:iam::${local.aws_customer_account_id}:oidc-provider/securetoken.google.com/doit-support"
]
}
Condition = {
StringEqualsIfExists = {
"support.cre.doit-intl.com:aud" = local.aws_customer_account_id
"securetoken.google.com/doit-support:aud" = "doit-support"
}
StringEquals = {
"aws:RequestTag/DoitEnvironment" = local.aws_customer_account_id
}
"ForAllValues:StringEquals" = {
"sts:TransitiveTagKeys" = ["DoitEnvironment"]
}
Null = {
"sts:TransitiveTagKeys" = "false"
}
}
}
]
}
)
tags = {
"doit:support" = "true"
}
}
Replace CUSTOMER_AWS_ACCOUNT_ID with your AWS account ID.
aws iam create-open-id-connect-provider \
--tags '{"Key": "doit:support", "Value": "true"}' \
--client-id-list "CUSTOMER_AWS_ACCOUNT_ID" \
--url https://support.cre.doit-intl.com \
--thumbprint-list "15c2b40aa2f322798666a6b332aaa03a6773019b"
aws iam create-open-id-connect-provider \
--tags '{"Key": "doit:support", "Value": "true"}' \
--client-id-list "doit-support" \
--url https://securetoken.google.com/doit-support \
--thumbprint-list "08745487e891c19e3078c1f2a07e452950ef36f6"
aws iam create-role --role-name DoiT-Support-Gateway \
--max-session-duration 21600 \
--tags '{"Key": "doit:support", "Value": "true"}' \
--assume-role-policy-document '{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sts:AssumeRoleWithWebIdentity",
"sts:TagSession"
],
"Principal": {
"Federated": [
"arn:aws:iam::CUSTOMER_AWS_ACCOUNT_ID:oidc-provider/support.cre.doit-intl.com",
"arn:aws:iam::CUSTOMER_AWS_ACCOUNT_ID:oidc-provider/securetoken.google.com/doit-support"
]
},
"Condition": {
"StringEqualsIfExists": {
"support.cre.doit-intl.com:aud": "CUSTOMER_AWS_ACCOUNT_ID",
"securetoken.google.com/doit-support:aud": "doit-support"
},
"StringEquals": {
"aws:RequestTag/DoitEnvironment": "CUSTOMER_AWS_ACCOUNT_ID"
},
"ForAllValues:StringEquals": {
"sts:TransitiveTagKeys": ["DoitEnvironment"]
},
"Null": {
"sts:TransitiveTagKeys": false
}
}
}
]
}'
aws iam put-role-policy --role-name DoiT-Support-Gateway \
--policy-name inline \
--policy-document '{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"airflow:GetEnvironment",
"airflow:List*",
"amplify:Get*",
"amplify:List*",
"backup:Describe*",
"backup:Get*",
"backup:List*",
"ce:Get*",
"ce:List*",
"ce:Describe*",
"compute-optimizer:Get*",
"compute-optimizer:Describe*",
"eks:AccessKubernetesApi",
"eks:List*",
"mobiletargeting:List*",
"redshift-serverless:List*",
"s3:GetStorageLens*",
"s3:ListStorageLens*",
"servicequotas:Get*",
"servicequotas:List*",
"servicequotas:RequestServiceQuotaIncrease",
"workspaces:List*"
],
"Resource": "*"
}]}'
aws iam attach-role-policy --role-name DoiT-Support-Gateway --policy-arn arn:aws:iam::aws:policy/AmazonRDSPerformanceInsightsReadOnly
aws iam attach-role-policy --role-name DoiT-Support-Gateway --policy-arn arn:aws:iam::aws:policy/AmazonWorkSpacesWebReadOnly
aws iam attach-role-policy --role-name DoiT-Support-Gateway --policy-arn arn:aws:iam::aws:policy/AWSCloudShellFullAccess
aws iam attach-role-policy --role-name DoiT-Support-Gateway --policy-arn arn:aws:iam::aws:policy/AmazonSESReadOnlyAccess
aws iam attach-role-policy --role-name DoiT-Support-Gateway --policy-arn arn:aws:iam::aws:policy/AWSBillingReadOnlyAccess
aws iam attach-role-policy --role-name DoiT-Support-Gateway --policy-arn arn:aws:iam::aws:policy/AWSSupportAccess
aws iam attach-role-policy --role-name DoiT-Support-Gateway --policy-arn arn:aws:iam::aws:policy/CloudWatchReadOnlyAccess
aws iam attach-role-policy --role-name DoiT-Support-Gateway --policy-arn arn:aws:iam::aws:policy/SecurityAudit
aws iam attach-role-policy --role-name DoiT-Support-Gateway --policy-arn arn:aws:iam::aws:policy/job-function/ViewOnlyAccess
Replace CUSTOMER_AWS_ACCOUNT_ID with your AWS account ID.
Optional Capabilities
AWS Premium Support
The CloudFormation template includes a parameter AllowSupportRunbooksExecutions with default value false. Setting this parameter to true will add the permissions required to run the following troubleshooting SSM runbooks:
Additional information
-
You are free to grant any permission to the DoiT-Support-Gateway IAM role, the ones suggested above are the ones we recommend to cover most, if not all, support use cases. The decision to explicitly grant granular access to DoiT support to your accounts ultimately lies with you. Note that we enforce AWS session policies at the application level to ensure the permissions you granted are solely restricted to read-only and opening support requests on your behalf.
-
The permissions for
servicequotas:Get*,servicequotas:List*, andservicequotas:RequestServiceQuotaIncreaseallow DoiT support engineers to view your current service quotas and request increases on your behalf. This capability enables us to assist you more effectively with quota-related issues without requiring additional access or actions from your team. -
You can leverage the
DoiTEnvironmentAWS IAM Principal session tag within the IAM conditions of your own Resource-based AWS IAM Policies to further restrict the resources accessible to DoiT.We may support custom AWS IAM Session Principal Tags in the future so you can integrate DoiT with your existing IAM tag-based access control security strategy. Feel free to reach out if you would like to have this feature prioritized.