Skip to main content

What you’ll learn

This workshop provides a comprehensive introduction to managing users and access controls within your Fast Foundation environment. You will learn how to create and manage users and groups. The workshop will also cover best practices for assigning inline policies, applying AWS managed policies, and managing group access across AWS accounts within the Fast Foundation multi-account architecture.

Prerequisites

Before starting this workshop, ensure you have:

Getting Started

Let’s begin by locating the file where user management is accomplished inside the project. In your infrastructure repository, navigate to: 
Infrastructure/
└── infrastructure/
    └── production/
        └── <your-region>/
            └── permissions/
                └── sso/
                    └── main/
                        ├── terragrunt.hcl
                        └── inputs.hcl
The inputs.hcl file contains the configuration for the user management module.
If it isn’t there, your before-hooks will generate/sync it on terragrunt init. Open a terminal in the main directory, and run terragrunt init.

Creating an Access Group

1

Add access group definition

To create a new access group, add it to the access_groups list of the inputs.hcl file.
locals {
  management_mode  = "internal"

  access_groups = [
    {
      name         = "Developers"
      description  = "Development team access"
      session_duration = "PT8H"
      accounts_names = [
        "workload-development",
        "workload-production"
      ]
      
      aws_managed_policies = [
        "arn:aws:iam::aws:policy/PowerUserAccess"
      ]
    }
  ]
}
2

Understand the parameters

Required fields:
  • name – Unique identifier for the group
  • description – What the group is for
  • accounts_names – Which AWS accounts members can access
Optional fields:
  • session_duration – How long access tokens remain valid (default: PT1H)
  • relay_state – URL to redirect users after login
  • aws_managed_policies – AWS-provided policies (by ARN)
  • inline_policies – Custom policies attached to this group
  • customer_managed_policies – ARNs of existing policies in target accounts
3

Apply changes

Save your file and apply:
# Open a terminal in the directory you are working on

# Review planned changes
terragrunt plan

# Save your parameter file to S3 and apply changes
TG_SECRETS=save terragrunt apply

Add inline policies to access groups

Optionally, you can attach an inline policy to an Access Group. An inline policy is a block of text formatted as an IAM policy that you add directly to your Access Group.
1

Add inline policy definition

locals {
  management_mode  = "internal"

  access_groups = [
    {
      name         = "Developers"
      description  = "Development team access"
      session_duration = "PT8H"
      accounts_names = [
        "workload-development",
        "workload-production"
      ]

      inline_policies = [
        {
          "name": "ListAllMyBuckets",
          "statements": [
            {
              "sid": "ListAllMyBuckets",
              "effect": "Allow",
              "actions": ["s3:ListAllMyBuckets"],
              "resources": ["*"]
            }
          ]
        }
      ]
    }
  ]
}
This access group would allow all the users inside the “Developers” group to list the S3 Buckets in the workload-development and workload-production accounts.
2

Apply changes

Save your file and apply:
# Open a terminal in the directory you are working on

# Review planned changes
terragrunt plan

# Save your parameter file to S3 and apply changes
TG_SECRETS=save terragrunt apply

Common Access Group Patterns

Full administrative rights to specific accounts:
{
  name                 = "InfrastructureAdmins"
  description          = "Full administrative access to infrastructure"
  session_duration     = "PT2H"
  aws_managed_policies = ["arn:aws:iam::aws:policy/AdministratorAccess"]
  accounts_names       = ["infrastructure"]
}
Developer access with custom EKS (Elastic Kubernetes Service) permissions:
{
  name             = "DEV-Developers"
  description      = "Developers Access to DEV accounts."
  relay_state      = "https://console.aws.amazon.com/secretsmanager"
  session_duration = "PT8H"
  
  customer_managed_policies = []
  
  inline_policies = [
    {
      name = "secretsManagerAccess",
      statements = [
        {
          sid = "readwriteSecrets",
          actions = [
            "secretsmanager:GetSecretValue",
            "secretsmanager:DescribeSecret",
            "secretsmanager:PutSecretValue",
            "secretsmanager:UpdateSecret"
          ],
          resources = ["*"],
          conditions = [
            {
              test = "StringEquals",
              variable = "aws:resourceTag/team",
              values = ["developers"]
            }
          ]
        },
        {
          sid = "listSecrets",
          actions = [
            "secretsmanager:ListSecrets"
          ],
          resources = ["*"]
        }
      ]
    },
  ]
  
  aws_managed_policies = []
  
  accounts_names = [
    "workload-development"
  ]
}
Limited, read-only access for audit and compliance teams:
{
  name                 = "Auditors"
  description          = "Read-only access for compliance auditing"
  session_duration     = "PT4H"
  aws_managed_policies = ["arn:aws:iam::aws:policy/ReadOnlyAccess"]
  accounts_names       = [
    "workload-production",
    "workload-development",
    "security-tooling"
  ]
}

Creating a User

1

Add user definition

To create a new user (and assign it to an existing access group), add it to the users list of the inputs.hcl file.
locals {
  management_mode  = "internal"

  access_groups = [
    {
      name         = "Developers"
      description  = "Development team access"
      session_duration = "PT8H"
      accounts_names = [
        "workload-development",
        "workload-production"
      ]
      
      aws_managed_policies = [
        "arn:aws:iam::aws:policy/PowerUserAccess"
      ]
    }
  ]

  users = [
    {
      username     = "john.doe"
      display_name = "John Doe"
      email        = "[email protected]"
      given_name   = "John"
      family_name  = "Doe"
      groups       = ["Developers"] # group(s) the user will be assigned to
    }
  ]
}
2

Apply changes

Save your file and apply:
# Open a terminal in the directory you are working on

# Review planned changes
terragrunt plan

# Save your parameter file to S3 and apply changes
TG_SECRETS=save terragrunt apply
3

Complete User Setup

After Terraform creates the user, complete setup in AWS SSO:
  1. Log in to the Infrastructure account
  2. Go to AWS Identity CenterUsers
  3. Select the new user
  4. Click Send email verification link
  5. Click Reset password
The user will then receive emails to verify their account, set a password, and configure MFA (Multi-Factor Authentication).

Assign Groups to AWS applications

To grant access to a customer-managed application in AWS IAM Identity Center, you can assign groups to the application. All users who are members of that group will automatically inherit access to the application, simplifying access management and ensuring consistent permission handling. In the Infrastructure AWS account:
  1. Go to AWS Identity CenterApplicationsCustomer managed
  2. Find and open the application
  3. Click Assign users and groups
  4. Switch to the Groups tab
  5. Select the access groups that need access
  6. Click Assign
Some applications require extra configuration steps before the users can interact with them. For example, the Cloud Connexa VPN Application requires this extra configuration steps.