{"id":31078100,"url":"https://github.com/aws-css-portfolio/iam","last_synced_at":"2025-09-16T08:03:29.049Z","repository":{"id":314715608,"uuid":"1056513223","full_name":"AWS-CSS-Portfolio/iam","owner":"AWS-CSS-Portfolio","description":"Secure cross-account access with IAM Roles + Service Control Policies (SCPs). Demonstrates Dev→Security account role assumption using External ID, enforced guardrails and proof of allowed/blocked actions. ","archived":false,"fork":false,"pushed_at":"2025-09-14T09:39:27.000Z","size":1830,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-09-14T10:26:49.786Z","etag":null,"topics":["aws","aws-certification","aws-css","aws-organizations","aws-security-specialist","cloud","cross-account","devsecops","iam","identity-and-access-management","lab","scp","security"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/AWS-CSS-Portfolio.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-09-14T08:53:30.000Z","updated_at":"2025-09-14T09:39:30.000Z","dependencies_parsed_at":"2025-09-14T10:26:51.275Z","dependency_job_id":"838c3733-de5f-467c-9365-9e39d8a1100b","html_url":"https://github.com/AWS-CSS-Portfolio/iam","commit_stats":null,"previous_names":["aws-css-portfolio/iam"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/AWS-CSS-Portfolio/iam","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AWS-CSS-Portfolio%2Fiam","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AWS-CSS-Portfolio%2Fiam/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AWS-CSS-Portfolio%2Fiam/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AWS-CSS-Portfolio%2Fiam/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/AWS-CSS-Portfolio","download_url":"https://codeload.github.com/AWS-CSS-Portfolio/iam/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AWS-CSS-Portfolio%2Fiam/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":275384116,"owners_count":25454910,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-09-16T02:00:10.229Z","response_time":65,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","aws-certification","aws-css","aws-organizations","aws-security-specialist","cloud","cross-account","devsecops","iam","identity-and-access-management","lab","scp","security"],"created_at":"2025-09-16T08:03:16.523Z","updated_at":"2025-09-16T08:03:29.034Z","avatar_url":"https://github.com/AWS-CSS-Portfolio.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# AWS CSS – Domain 4 – Cross-Account Access with IAM Roles \u0026 SCPs \n\nBuilt and secured cross-account access in AWS using **IAM Roles** and **Service Control Policies (SCPs)** to demonstrate a **controlled IAM model**. \n\n**Why it matters:** Multi-account AWS environments are common in enterprises. Enabling secure cross-account access is critical for productivity, but it must be balanced with **guardrails** to prevent misuse. This lab shows how to implement **least privilege + org-wide enforcement**. \n\n---\n\n## Table of Contents\n\n- [Overview](#overview) \n- [Objectives](#objectives) \n- [Diagram](#diagram) \n- [Steps Performed](#steps-performed) \n - [1. AWS Accounts \u0026 OUs Setup] \n - [2. Security Account Role Creation] \n - [3. Dev Account Policy \u0026 User Setup] \n - [4. Service Control Policies (SCPs)] \n - [5. Testing \u0026 Proof] \n - [6. Cleanup] \n- [Screenshots](#screenshots) \n- [Lessons Learned](#lessons-learned) \n- [References](#references) \n- [Contact](#contact) \n\n---\n\n## Overview\n\nThis lab implements **secure cross-account access**: \n\n- Developers in the **Dev Account** assume a role in the **Security Account**. \n- Access is restricted to **read-only** actions with **IAM Role policies**. \n- **Service Control Policies (SCPs)** enforce org-wide guardrails to block destructive actions. \n- Both **allowed** and **denied** actions were tested and verified. \n\n---\n\n## Objectives\n\n- Configure IAM role trust between **Dev → Security accounts**. \n- Enforce use of **External ID** to prevent confused deputy problem. \n- Attach **ReadOnlyAccess** policy to the cross-account role. \n- Apply **SCPs** at the org level to deny destructive actions. \n- Prove enforcement with **AWS CLI tests** (allowed vs. blocked). \n\n---\n\n## Diagram \n\n![Domain 4 Architecture](diagram2.png) \n\n---\n\n## Steps Performed\n\n### 1. AWS Accounts \u0026 OUs Setup\n - Created **Dev** and **Security** accounts under OUs *(Screenshot: `accounts-in-correct-ous.png`)* \n - Verified account separation inside AWS Organizations. \n\n### 2. Security Account Role Creation\n - Created IAM role `SecurityCrossAccountRole` *(Screenshots: `security-account-dashboard.png`, `role-trust-setup.png` \u0026 `role-created.png`)* \n - Trusted Dev Account (`540751377690`) with **External ID** *(Screenshot: `trust-json.png`)* \n - Attached **ReadOnlyAccess** policy. \n\n### 3. Dev Account Policy \u0026 User Setup\n - Created custom IAM policy to allow `sts:AssumeRole` *(Screenshot: `dev-policy-created.png`)* \n - Attached policy to `dev-user` *(Screenshot: `dev-user-with-policy.png`)* \n - Verified `dev-user` setup in Dev Account *(Screenshot: `dev-dashboard.png`)* \n\n### 4. Service Control Policies (SCPs)\n - Enabled SCPs in AWS Organizations *(Screenshot: `scp-enabled.png`)* \n - Created **DenyDangerousActions** SCP *(Screenshot: `scp-json.png`)* \n - Attached SCP to **Security OU** *(Screenshot: `scp-attached.png`)* \n\n### 5. Testing \u0026 Proof\n - Assumed role from Dev → Security via CLI *(Screenshot: `role-assumption-success-cli.png`)* \n - Verified **allowed action**: `aws s3 ls` lists Security Account bucket *(Screenshot: `allowed-action.png`)* \n - Verified **blocked action**: bucket deletion denied by SCP *(Screenshot: `blocked-action.png`)* \n\n### 6. Cleanup\n - Removed S3 test bucket. \n - Detached and deleted SCP. \n - Deleted IAM role in Security Account. \n - Deleted IAM policy + user in Dev Account. \n - Left empty accounts in AWS Organization (or optionally close them if root access is set). \n\n---\n\n## Screenshots\n\n*All screenshots are included in the `screenshots/` folder.* \n\n| Step | Filename | Description |\n| ---- | ------------------------------- | -------------------------------------------------- |\n| 1 | accounts-in-correct-ous.png | Dev \u0026 Security accounts placed in correct OUs |\n| 2 | security-account-dashboard.png | Security Account console dashboard |\n| 2 | role-trust-setup.png | Role trust setup screen (Dev ID + External ID) |\n| 2 | role-created.png | IAM role created in Security Account |\n| 2 | trust-json.png | Trust relationship JSON with Dev + External ID |\n| 3 | dev-dashboard.png | Dev Account console dashboard |\n| 3 | dev-policy-created.png | Custom AssumeRole policy JSON in Dev Account |\n| 3 | dev-user-with-policy.png | Dev user with attached AssumeRole policy |\n| 4 | scp-enabled.png | SCPs enabled in AWS Organizations |\n| 4 | scp-json.png | SCP JSON denying DeleteUser + DeleteBucket |\n| 4 | scp-attached.png | SCP attached to Security OU |\n| 5 | role-assumption-success-cli.png | CLI session assuming SecurityCrossAccountRole |\n| 5 | allowed-action.png | Allowed action: S3 bucket listed successfully |\n| 5 | blocked-action.png | Blocked action: S3 bucket deletion denied |\n\n---\n\n## Lessons Learned\n\n- **Cross-account IAM roles** are powerful but must use **External IDs** for security. \n- **SCPs provide guardrails** that even admins in the target account can’t bypass. \n- Testing **both allowed and denied actions** is essential to prove policies work. \n- In multi-account setups, **least privilege + org-level controls** = stronger security posture. \n\n---\n\n## References\n\n- [IAM Roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) \n- [STS AssumeRole](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) \n- [Service Control Policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html) \n- [AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-welcome.html) \n\n---\n\n## Contact\n\nSebastian Silva C. – September 2025 – Berlin, Germany. \n- [LinkedIn](https://www.linkedin.com/in/sebastiansilc/) \n- [GitHub](https://github.com/AWS-CSS-Portfolio) \n- [sebastian@playbookvisualarts.com](mailto:sebastian@playbookvisualarts.com) \n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faws-css-portfolio%2Fiam","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Faws-css-portfolio%2Fiam","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faws-css-portfolio%2Fiam/lists"}