Access roles provide varying levels of permissions to AWS accounts, enabling Quiverstone to access and manage your AWS infrastructure. This reference provides comprehensive details about all access role templates, deployment methods, security considerations, and troubleshooting guidance.
Overview
Quiverstone access roles use AWS IAM roles with trust policies that allow Quiverstone to assume them. These roles can be configured with different permission levels ranging from read-only to full administrative access. The role catalog provides six CloudFormation templates covering three access methods and two deployment types.
Access Role Types
Browser Access Roles: Enable browser-based console access through role switching from an AWS account you’re logged into. These roles do not support External ID authentication.
Direct Access Roles: Allow Quiverstone to directly assume roles in your accounts using federated access. These roles support External ID for enhanced security.
Chained Access Roles: Route role assumptions through an intermediate account you control, providing an additional security layer. These roles require both an intermediate role and destination role.
Key Features
- Flexible Permissions: Choose from eight AWS managed policies (ReadOnly, Administrator, PowerUser, ViewOnly, SecurityAudit, SystemAdministrator, SupportUser, Billing)
- Multiple Deployment Methods: Deploy to individual accounts or across organizations using StackSets
- Security Controls: Support for External ID, specific principal trust, and role chaining
- Organization Inventory: All access roles include AWS Organizations read permissions for account discovery
Access Role Templates
Browser Access Role
Template: browser-access-role.yaml
Purpose: Provides browser-based role switching from a trusted AWS account you’re currently logged into.
Deploy To: Individual account home region (e.g., us-east-1)
Launch Template:
Parameters:
-
pRoleName (String, Default:
QuiverstoneBrowserSession)
- Name for the browser-accessible role
- Must be unique within the account
- Security Best Practice: Change the default role name to a custom value unique to your organization
-
pTrustedAccountId (String, Required)
- AWS Account ID you have access to that can assume this role via browser session
- Must be a 12-digit account number
- Important: Do NOT use any Quiverstone account IDs
-
Permission Flags (yes/no for each):
- pIsReadOnlyAccess (Default: yes): View resources across all AWS services
- pIsAdministratorAccess (Default: no): Full access to all AWS services and resources
- pIsPowerUserAccess (Default: no): Full access except IAM user/group management
- pIsViewOnlyAccess (Default: no): View resources and basic metadata
- pIsSecurityAudit (Default: no): View configuration data and logs
- pIsSystemAdministrator (Default: no): Full access for application operations
- pIsSupportUser (Default: no): Troubleshoot issues and manage AWS support cases
- pIsBillingAccess (Default: no): View and manage billing and cost information
Outputs:
- oRoleArn: ARN of the created browser access role
- oRoleName: Name of the created role
- oTrustedAccountId: Account ID that can assume this role
Security Considerations:
- Does NOT support External ID authentication
- Trusts all principals in the specified trusted account
- Best for scenarios where you control both accounts
- Consider using direct or chained access for production environments requiring External ID
Direct Access Role
Template: direct-access-role.yaml
Purpose: Provides direct federated access from Quiverstone to your AWS accounts.
Deploy To: Individual account home region (e.g., us-east-1)
Launch Template:
Parameters:
-
pRoleName (String, Default:
QuiverstoneDirectAccess)
- Name for the federated access role
- Must be unique within the account
- Security Best Practice: Change the default role name to a custom value unique to your organization
-
pQuiverstoneProductionAccountId (String, Default:
684035162433)
- Quiverstone production account ID
- DO NOT MODIFY this value
-
pExternalId (String, Required for Production, Max: 1224 characters)
- Security token for role assumption
- Required for production environments - prevents confused deputy attacks
- Generate a unique random string (minimum 32 characters)
- Store securely - required when configuring Quiverstone
- Never share or commit External IDs to version control
- Security token for role assumption
- Strongly recommended for production environments
- Generate a unique random string (minimum 32 characters)
- Store securely - required when configuring Quiverstone
-
Permission Flags (yes/no for each):
- Same permission options as browser access role (see above)
Outputs:
- oRoleArn: ARN of the created direct access role
- oRoleExternalId: External ID for role assumption (if configured)
- oRoleName: Name of the created role
Security Considerations:
- Supports External ID for enhanced security (strongly recommended)
- Trusts only the Quiverstone production account
- Recommended for most production deployments
- External ID prevents confused deputy attacks
Chained Access Role
Template: chained-access-role.yaml
Purpose: Provides access through role chaining via an intermediate account you control.
Deploy To: Target account home region (e.g., us-east-1)
Prerequisites: Intermediate role must be deployed first (see Intermediate Roles Reference)
Launch Template:
Parameters:
-
pChainedAccessRoleName (String, Default:
QuiverstoneChainedAccess, Required)
- Name for the destination account access role
- Must be unique within the account
- Security Best Practice: Change the default role name to a custom value unique to your organization
-
pExternalId (String, Required for Production, Max: 1224 characters)
- External ID for role assumption
- Can be different from intermediate role External ID
- Required for production - use a different value than the intermediate role External ID
- Generate a unique random string (minimum 32 characters)
- Never share or commit External IDs to version control
-
pIntermediateAccountId (String, Required)
- AWS Account ID that serves as the intermediate hop
- Must be a 12-digit account number
- This is an account you own and have access to
-
pTrustPrincipals (String, Default:
All)
- Controls which principals in intermediate account can assume this role
- Options:
All: Trust all principals in the intermediate accountNamed: Trust only the specific role named in pIntermediateRoleName
- Recommended: Use
Named for enhanced security
-
pIntermediateRoleName (String, Default:
QuiverstoneTrustedIntermediate)
- Name of the role in the intermediate account
- Required if pTrustPrincipals is set to
Named
- Populate for reference even if trusting entire account
- Update this if you changed the intermediate role name
-
pIntermediateRoleExternalId (String, Optional, Max: 1224 characters)
- External ID for intermediate role assumption
- Reference only - used when configuring Quiverstone
- Should match the External ID configured on the intermediate role
-
Permission Flags (yes/no for each):
- Same permission options as browser access role (see above)
Outputs:
- oTargetRoleArn: ARN of the destination account access role
- oTargetRoleExternalId: External ID for target role assumption (if configured)
- oIntermediateRoleArn: ARN of the intermediate role (if name provided)
- oIntermediateRoleArnExcluded: Notice if intermediate role name not provided
- oIntermediateRoleExternalId: External ID for intermediate role (if configured)
- oTrustAllPrincipals: Notice if trusting all principals in intermediate account
Security Considerations:
- Requires intermediate role to be deployed first
- Provides additional security layer through role chaining
- Use
Named trust for maximum security
- Both intermediate and destination roles can have separate External IDs
- Best for highly regulated environments or multi-organization scenarios
Browser Access Role StackSet
Template: browser-access-role-stackset.yaml
Purpose: Deploys browser-accessible roles across all organization accounts using CloudFormation StackSets.
Deploy To: Management or Delegated CloudFormation StackSet Account home region (e.g., us-east-1)
Launch Template:
Additional StackSet Parameters:
-
pDeploymentOUs (CommaDelimitedList, Required)
- Organization Unit IDs to deploy to (comma-separated)
- Use root OU ID to deploy to all accounts
- Example:
ou-xxxx-yyyyyyyy,ou-xxxx-zzzzzzzz
-
pDeploymentRegion (String, Default:
us-east-1)
- AWS Region to deploy the roles
- Allowed values: us-east-1, us-east-2, us-west-1, us-west-2, eu-west-1, eu-central-1, ap-southeast-1, ap-southeast-2, ap-northeast-1
-
All parameters from browser-access-role.yaml (see above)
StackSet Configuration:
- Permission Model: SERVICE_MANAGED (uses AWS Organizations integration)
- Auto Deployment: Enabled (automatically deploys to new accounts)
- Retain Stacks on Account Removal: Disabled (cleans up when accounts leave OUs)
- Concurrent Deployment: 100% (deploys to all accounts simultaneously)
- Failure Tolerance: 100% (continues deployment even if some accounts fail)
Outputs:
- oDeploymentOUs: List of OUs where roles are deployed
- oDeploymentRegion: Region where roles are deployed
Direct Access Role StackSet
Template: direct-access-role-stackset.yaml
Purpose: Deploys direct access roles across all organization accounts using CloudFormation StackSets.
Deploy To: Management or Delegated CloudFormation StackSet Account home region (e.g., us-east-1)
Launch Template:
Additional StackSet Parameters:
-
pDeploymentOUs (CommaDelimitedList, Required)
- Organization Unit IDs to deploy to (comma-separated)
- Use root OU ID to deploy to all accounts
-
pDeploymentRegion (String, Default:
us-east-1)
- AWS Region to deploy the roles
- Same allowed values as browser access StackSet
-
All parameters from direct-access-role.yaml (see above)
StackSet Configuration: Same as browser access StackSet
Outputs:
- oDeploymentOUs: List of OUs where roles are deployed
- oDeploymentRegion: Region where roles are deployed
Chained Access Role StackSet
Template: chained-access-role-stackset.yaml
Purpose: Deploys chained access roles across all organization accounts using CloudFormation StackSets.
Deploy To: Management Account home region (e.g., us-east-1)
Prerequisites: Intermediate role must be deployed first
Launch Template:
Additional StackSet Parameters:
-
pDeploymentOUs (CommaDelimitedList, Required)
- Organization Unit IDs to deploy to (comma-separated)
- Use root OU ID to deploy to all accounts
-
pDeploymentRegion (String, Default:
us-east-1)
- AWS Region to deploy the roles
- Same allowed values as other StackSets
-
All parameters from chained-access-role.yaml (see above)
StackSet Configuration: Same as other StackSets
Outputs:
- oDeploymentOUs: List of OUs where roles are deployed
- oDeploymentRegion: Region where roles are deployed
Access Method Comparison
Browser-Based Access
How It Works: Uses AWS console role switching from an AWS account you’re currently logged into. When you’re logged into your trusted account, you can switch roles to access other accounts through the browser.
Use Cases:
- Interactive console operations requiring browser-based workflows
- Development and testing environments
- Scenarios where you’re already logged into an AWS account
- Quick access for troubleshooting and investigation
- Teams that prefer console-based workflows
Advantages:
- Simple setup with minimal configuration
- Familiar AWS console experience
- No additional authentication beyond your existing AWS login
- Easy role switching in the browser
- Good for ad-hoc access patterns
Limitations:
- Does NOT support External ID authentication
- Requires you to be logged into a trusted AWS account first
- Less suitable for automated or programmatic access
- Trusts all principals in the trusted account (broader trust scope)
- Not recommended for production environments requiring strict security controls
Security Considerations:
- Trust policy allows any principal in the trusted account to assume the role
- No External ID protection against confused deputy attacks
- Ensure the trusted account has appropriate access controls
- Consider using direct or chained access for production workloads
- Best suited for environments where you control both accounts
When to Choose Browser Access:
- You need interactive console access
- You’re already logged into an AWS account
- You’re working in development/test environments
- External ID is not a security requirement
- You control both the trusted and target accounts
Direct Access
How It Works: Quiverstone directly assumes IAM roles in your accounts using federated access with STS AssumeRole. The trust policy allows the Quiverstone production account to assume the role.
Use Cases:
- Standard production deployments
- Automated account access and management
- Organizations with straightforward security requirements
- Single AWS organization scenarios
- Most common deployment method for Quiverstone
Advantages:
- Simple architecture with direct trust relationship
- Supports External ID for enhanced security
- Suitable for both interactive and programmatic access
- Lower latency than chained access (one hop instead of two)
- Easier to troubleshoot than chained access
- Recommended for most production deployments
Limitations:
- Direct trust to Quiverstone production account
- No intermediate security layer
- May not meet requirements for highly regulated environments
- Cannot route through your own security controls
Security Considerations:
- External ID strongly recommended to prevent confused deputy attacks
- Trust policy specifically allows only Quiverstone production account
- External ID acts as a shared secret between you and Quiverstone
- Generate unique External IDs for each account or role
- Store External IDs securely (password manager, secrets manager)
- Rotate External IDs periodically according to your security policies
When to Choose Direct Access:
- You need standard production access
- External ID security is sufficient for your requirements
- You want the simplest production-ready deployment
- You don’t require an intermediate security layer
- You’re deploying in a single AWS organization
Chained Access
How It Works: Role assumptions are routed through an intermediate account you control. Quiverstone first assumes a role in your intermediate account, then uses that role to assume the destination role in the target account. This creates a two-hop chain: Quiverstone → Intermediate Account → Target Account.
Use Cases:
- Highly regulated environments requiring additional security controls
- Organizations with strict security policies
- Multi-organization deployments
- Scenarios requiring centralized access control
- Environments where direct trust to external accounts is prohibited
- Organizations wanting to audit all role assumptions through a central point
Advantages:
- Additional security layer through your controlled intermediate account
- Centralized access control and auditing
- Can implement custom security controls in intermediate account
- Supports separate External IDs for each hop
- Allows you to revoke Quiverstone access by modifying only the intermediate role
- Meets requirements for environments prohibiting direct external trust
- Can use specific role trust instead of account-level trust
Limitations:
- More complex setup requiring two role deployments
- Higher latency due to two-hop role assumption
- More components to manage and troubleshoot
- Requires maintaining intermediate role in addition to destination roles
- Slightly higher AWS API call costs (two AssumeRole calls per access)
Security Considerations:
- Intermediate role should use External ID for Quiverstone trust
- Destination roles can use External ID for intermediate account trust
- Use
Named trust (specific role) instead of All (account-level) for maximum security
- Intermediate account becomes a critical security component - protect it accordingly
- Monitor intermediate role usage through CloudTrail
- Consider implementing additional controls in intermediate account (IP restrictions, time-based access, etc.)
- Both roles can have separate External IDs for defense in depth
When to Choose Chained Access:
- Your security policies require an intermediate security layer
- You need centralized access control and auditing
- You’re in a highly regulated environment
- You want to implement custom security controls
- You’re managing multiple AWS organizations
- Direct trust to external accounts is prohibited by policy
- You want the ability to quickly revoke access by modifying only one role
Access Method Decision Matrix
| Criteria | Browser Access | Direct Access | Chained Access |
|---|
| Setup Complexity | Simple | Simple | Complex |
| External ID Support | No | Yes | Yes (both hops) |
| Production Ready | No | Yes | Yes |
| Security Level | Basic | Standard | Enhanced |
| Latency | N/A (browser) | Low | Medium |
| Audit Centralization | No | No | Yes |
| Intermediate Control | No | No | Yes |
| Best For | Dev/Test | Most Production | Highly Regulated |
| Troubleshooting | Easy | Easy | Moderate |
| Maintenance | Low | Low | Medium |
Deployment Type Comparison
Individual Account Deployment
How It Works: Deploy CloudFormation templates directly to individual AWS accounts one at a time. Each deployment creates a stack in a single account.
Use Cases:
- Small number of accounts (1-10)
- Accounts not in an AWS Organization
- Different configurations needed per account
- Testing and validation before organization-wide deployment
- Accounts requiring unique permission sets
- Standalone accounts or accounts in different organizations
Deployment Process:
- Log into the target AWS account
- Launch the CloudFormation template
- Configure parameters specific to that account
- Create the stack
- Copy outputs for Quiverstone configuration
- Repeat for each account
Advantages:
- Simple and straightforward process
- Full control over each deployment
- Easy to customize per account
- No AWS Organizations requirement
- Can deploy to accounts in different organizations
- Immediate feedback on deployment success/failure
- Easy to test and validate before wider deployment
Limitations:
- Manual process for each account
- Time-consuming for large numbers of accounts
- Potential for configuration drift between accounts
- No automatic deployment to new accounts
- Requires access to each individual account
- More operational overhead to maintain
When to Choose Individual Deployment:
- You have fewer than 10 accounts
- Accounts are not in an AWS Organization
- Each account needs different configurations
- You’re testing before organization-wide deployment
- You need maximum control over each deployment
- Accounts are in different organizations
StackSet Deployment
How It Works: Deploy CloudFormation StackSets from your management account (or delegated administrator account) to automatically deploy roles across multiple accounts in your AWS Organization. StackSets use AWS Organizations integration to deploy to specified Organizational Units (OUs).
Use Cases:
- Large number of accounts (10+)
- Organization-wide standardized deployments
- Automatic deployment to new accounts
- Consistent configuration across all accounts
- Centralized management and updates
- Organizations with mature AWS Organizations structure
Deployment Process:
- Log into management account (or delegated admin account)
- Launch the StackSet template
- Specify target OUs (or root OU for all accounts)
- Configure parameters (applied to all accounts)
- StackSet automatically deploys to all accounts in specified OUs
- New accounts added to OUs automatically receive the role
Advantages:
- Deploy to hundreds of accounts simultaneously
- Automatic deployment to new accounts (auto-deployment enabled)
- Consistent configuration across all accounts
- Centralized management from management account
- Easy updates across all accounts
- Automatic cleanup when accounts leave OUs
- Parallel deployment for faster completion
- Single point of configuration
Limitations:
- Requires AWS Organizations
- Must be deployed from management or delegated admin account
- Same configuration applied to all accounts in target OUs
- More complex troubleshooting (failures in individual accounts)
- Requires SERVICE_MANAGED permission model
- Cannot customize per-account without multiple StackSets
- Initial setup more complex than individual deployment
StackSet Configuration Details:
- Permission Model: SERVICE_MANAGED (uses AWS Organizations integration)
- Auto Deployment: Enabled by default
- Automatically deploys to new accounts added to target OUs
- Automatically removes stacks when accounts leave OUs
- Concurrent Deployment: 100% (deploys to all accounts simultaneously)
- Failure Tolerance: 100% (continues even if some accounts fail)
- Region Concurrency: PARALLEL (deploys to all regions simultaneously if multi-region)
When to Choose StackSet Deployment:
- You have 10 or more accounts
- Accounts are in an AWS Organization
- You want consistent configuration across accounts
- You need automatic deployment to new accounts
- You want centralized management and updates
- You have a well-organized OU structure
- You want to minimize operational overhead
Deployment Type Decision Matrix
| Criteria | Individual Account | StackSet |
|---|
| Account Count | 1-10 | 10+ |
| AWS Organizations Required | No | Yes |
| Deployment Speed | Slow (manual) | Fast (parallel) |
| Configuration Flexibility | High (per account) | Low (per StackSet) |
| Auto-Deploy to New Accounts | No | Yes |
| Maintenance Overhead | High | Low |
| Troubleshooting | Easy | Moderate |
| Consistency | Manual | Automatic |
| Best For | Small deployments, testing | Large organizations |
| Update Process | Manual per account | Centralized update |
Hybrid Approach
Many organizations use a combination of both deployment types:
Common Hybrid Patterns:
-
StackSet for Standard Accounts + Individual for Special Cases
- Use StackSet for most accounts with standard configuration
- Use individual deployment for accounts needing custom permissions or configurations
-
Individual for Testing + StackSet for Production
- Test and validate with individual deployments in dev/test accounts
- Roll out to production using StackSets once validated
-
Multiple StackSets for Different OUs
- Deploy different StackSets to different OUs with varying configurations
- Example: Read-only for development OU, Administrator for production OU
-
StackSet for Organization + Individual for External Accounts
- Use StackSet for accounts in your organization
- Use individual deployment for accounts in partner organizations or standalone accounts
Configuration Guidance
Permission Levels
All access role templates support eight AWS managed policies that can be enabled individually or in combination. Each permission level is controlled by a yes/no parameter.
ReadOnlyAccess (pIsReadOnlyAccess)
AWS Managed Policy: arn:aws:iam::aws:policy/ReadOnlyAccess
Description: Grants permissions to view resources and basic metadata across all AWS services.
Use Cases:
- Account discovery and inventory
- Compliance auditing and reporting
- Cost analysis and optimization
- Security posture assessment
- Resource monitoring and alerting
- Read-only access for support teams
What It Allows:
- List and describe operations for all AWS services
- Read configuration data
- View logs and metrics
- Access billing and cost information (read-only)
What It Does NOT Allow:
- Creating, modifying, or deleting resources
- Changing configurations
- Managing IAM users or policies
- Performing any write operations
Recommendation: Enable by default for most deployments. This is the minimum permission level needed for Quiverstone account discovery.
AdministratorAccess (pIsAdministratorAccess)
AWS Managed Policy: arn:aws:iam::aws:policy/AdministratorAccess
Description: Provides full access to AWS services and resources.
Use Cases:
- Full account management
- Infrastructure deployment and management
- Emergency access for incident response
- Complete administrative control
What It Allows:
- All actions on all AWS services
- Full IAM management
- Billing and cost management
- Account settings modification
What It Does NOT Allow:
- Nothing - this is full administrative access
Security Warning: Use with extreme caution. This permission level grants complete control over the AWS account. Consider using more restrictive permissions when possible.
Recommendation: Only enable when full administrative access is required. Consider using PowerUserAccess or SystemAdministrator for most operational needs.
PowerUserAccess (pIsPowerUserAccess)
AWS Managed Policy: arn:aws:iam::aws:policy/PowerUserAccess
Description: Provides full access to AWS services and resources, but does not allow management of users and groups.
Use Cases:
- Application deployment and management
- Infrastructure operations
- Development and testing
- Most operational tasks
What It Allows:
- Full access to most AWS services
- Create, modify, and delete resources
- Configure services and applications
- Access to billing information
What It Does NOT Allow:
- Creating or managing IAM users
- Creating or managing IAM groups
- Modifying IAM policies
- Managing organization-level settings
Recommendation: Good balance between operational capability and security. Suitable for most production operational needs.
ViewOnlyAccess (pIsViewOnlyAccess)
AWS Managed Policy: arn:aws:iam::aws:policy/job-function/ViewOnlyAccess
Description: Grants permissions to view resources and basic metadata across all AWS services.
Use Cases:
- Similar to ReadOnlyAccess but with job function focus
- Viewing resources without modification
- Monitoring and observability
Difference from ReadOnlyAccess: ViewOnlyAccess is a job function policy with slightly different scope than ReadOnlyAccess. Both provide read-only access but may differ in specific service permissions.
Recommendation: Use ReadOnlyAccess unless you specifically need the ViewOnlyAccess job function policy.
SecurityAudit (pIsSecurityAudit)
AWS Managed Policy: arn:aws:iam::aws:policy/SecurityAudit
Description: Grants permissions to view configuration data for many AWS services and to review their logs.
Use Cases:
- Security compliance auditing
- Security posture assessment
- Configuration review
- Log analysis for security events
What It Allows:
- Read access to security-related configurations
- Access to CloudTrail logs
- Access to Config data
- Security group and network ACL inspection
- IAM policy and role inspection
What It Does NOT Allow:
- Modifying security configurations
- Creating or deleting resources
- Changing IAM policies
Recommendation: Enable for security-focused access. Often combined with ReadOnlyAccess for comprehensive visibility.
SystemAdministrator (pIsSystemAdministrator)
AWS Managed Policy: arn:aws:iam::aws:policy/job-function/SystemAdministrator
Description: Grants full access permissions necessary for resources required for application operations.
Use Cases:
- System administration tasks
- Application infrastructure management
- Operational maintenance
- Resource provisioning
What It Allows:
- Full access to most AWS services
- Resource creation and management
- Configuration changes
- Similar to PowerUserAccess with job function focus
What It Does NOT Allow:
- IAM user and group management
- Organization-level changes
Recommendation: Suitable for system administrators who need broad operational access without IAM management.
SupportUser (pIsSupportUser)
AWS Managed Policy: arn:aws:iam::aws:policy/job-function/SupportUser
Description: Grants permissions to troubleshoot and resolve issues in an AWS account. This policy also enables the user to contact AWS support to create and manage cases.
Use Cases:
- AWS Support case management
- Troubleshooting assistance
- Support ticket creation and tracking
- Working with AWS Support teams
What It Allows:
- Create and manage AWS Support cases
- Access to Trusted Advisor
- Access to Health Dashboard
- Limited read access for troubleshooting
What It Does NOT Allow:
- Modifying resources
- Full read access to all services
- Administrative operations
Recommendation: Enable when you need to manage AWS Support cases through Quiverstone.
Billing (pIsBillingAccess)
AWS Managed Policy: arn:aws:iam::aws:policy/job-function/Billing
Description: Grants permissions for billing and cost management. This includes viewing account usage and viewing and downloading AWS bills.
Use Cases:
- Cost analysis and reporting
- Billing management
- Budget monitoring
- Cost optimization
What It Allows:
- View and download bills
- Access to Cost Explorer
- Budget creation and management
- Cost and usage reports
- Payment method management
What It Does NOT Allow:
- Resource management
- Service configuration
- Non-billing operations
Recommendation: Enable for financial management and cost optimization use cases.
Combining Permission Levels
Multiple permission levels can be enabled simultaneously. The role will have the union of all enabled permissions.
Common Combinations:
- ReadOnlyAccess + SecurityAudit: Comprehensive read access with enhanced security visibility
- ReadOnlyAccess + Billing: Full visibility including cost information
- PowerUserAccess + Billing: Operational access with cost management
- AdministratorAccess only: Full administrative control (use sparingly)
Best Practice: Start with minimal permissions (ReadOnlyAccess) and add additional permissions only as needed.
External ID Configuration
External ID is a security feature that helps prevent the “confused deputy” problem in cross-account access.
What is External ID?
External ID is a shared secret between you and Quiverstone that must be provided when assuming the role. It acts as an additional authentication factor beyond the AWS account trust.
Why Use External ID?
Confused Deputy Problem: Without External ID, if an attacker knows your role ARN, they could potentially trick Quiverstone into accessing your account on their behalf. External ID prevents this by requiring knowledge of the shared secret.
External ID Best Practices
Generation:
- Generate a unique random string for each role or account
- Minimum length: 32 characters
- Use cryptographically secure random generation
- Include letters, numbers, and special characters
- Example tools:
openssl rand -base64 32, password managers, AWS Secrets Manager
Storage:
- Store External IDs securely (password manager, secrets manager, encrypted vault)
- Treat External IDs like passwords
- Do not commit External IDs to version control
- Limit access to External IDs to authorized personnel
Rotation:
- Rotate External IDs periodically according to your security policies
- Coordinate rotation with Quiverstone configuration updates
- Document rotation procedures
- Consider automated rotation for large deployments
Uniqueness:
- Use unique External IDs per account (recommended)
- Or use unique External IDs per role type
- Avoid reusing External IDs across multiple accounts
- Unique IDs limit blast radius if one is compromised
When External ID is Required:
- Direct access roles: Strongly recommended
- Chained access roles: Recommended for both intermediate and destination roles
- Browser access roles: Not supported
Role Naming Best Practices
Naming Conventions
Consistency: Use consistent naming across all accounts
- Good:
QuiverstoneDirectAccess, QuiverstoneChainedAccess, QuiverstoneBrowserSession
- Avoid:
quiverstone-role, QS-Access, access-role-1
Descriptive: Include the access method in the name
QuiverstoneDirectAccess - clearly indicates direct accessQuiverstoneChainedAccess - clearly indicates chained accessQuiverstoneBrowserSession - clearly indicates browser access
Environment Indicators (optional): Include environment in name if using different roles per environment
QuiverstoneDirectAccess-ProdQuiverstoneDirectAccess-DevQuiverstoneDirectAccess-Test
Organization Indicators (optional): Include organization or business unit for multi-org deployments
QuiverstoneDirectAccess-OrgAQuiverstoneDirectAccess-Finance
Role Name Constraints
- Maximum length: 64 characters
- Allowed characters: A-Z, a-z, 0-9, plus (+), equals (=), comma (,), period (.), at (@), underscore (_), hyphen (-)
- Must be unique within the account
- Case sensitive
Default Names
The templates provide sensible defaults:
- Browser access:
QuiverstoneBrowserSession
- Direct access:
QuiverstoneDirectAccess
- Chained access:
QuiverstoneChainedAccess
- Intermediate:
QuiverstoneTrustedIntermediate
Recommendation: Use the defaults unless you have specific naming requirements. Consistent names simplify management and troubleshooting.
StackSet Configuration Options
When deploying via StackSets, additional configuration options are available.
Deployment Targets
Organizational Units (OUs):
- Specify one or more OU IDs (comma-separated)
- Use root OU ID to deploy to all accounts
- StackSet deploys to all accounts in specified OUs
- New accounts added to OUs automatically receive deployment
Finding OU IDs:
- Open AWS Organizations console
- Navigate to AWS accounts
- Select an OU
- Copy the OU ID (format:
ou-xxxx-yyyyyyyy)
Deployment Region
Single Region Deployment: StackSets deploy to a single region (specified in pDeploymentRegion parameter)
- IAM roles are global, so single region deployment is sufficient
- Default: us-east-1
- Choose your organization’s home region
Why Single Region: IAM is a global service. Deploying the role in one region makes it available globally.
Auto-Deployment Settings
Enabled by Default: New accounts added to target OUs automatically receive the role
Retain Stacks on Account Removal: Disabled by default
- When an account leaves a target OU, the stack is automatically deleted
- Ensures clean removal of roles when accounts move
Concurrent Deployment
Max Concurrent Percentage: 100% (default)
- Deploys to all accounts simultaneously
- Fastest deployment time
- Can be reduced if you want more controlled rollout
Failure Tolerance Percentage: 100% (default)
- Continues deployment even if some accounts fail
- Allows successful deployments to complete
- Failed accounts can be retried individually
Region Concurrency
PARALLEL (default): If deploying to multiple regions, deploys to all regions simultaneously
Note: For IAM roles, single region deployment is recommended since IAM is global.
Deployment Scenarios
Small Organizations (1-10 Accounts)
Scenario: Startup or small business with a handful of AWS accounts for different environments or projects.
Recommended Approach: Individual account deployment with direct access
Configuration:
- Template:
direct-access-role.yaml
- Deployment: Individual to each account
- Permissions: ReadOnlyAccess (minimum), add others as needed
- External ID: Unique per account (recommended)
Deployment Steps:
- Generate unique External ID for each account
- Deploy direct-access-role.yaml to each account individually
- Configure ReadOnlyAccess and any additional permissions needed
- Copy role ARN and External ID from each deployment
- Configure each account in Quiverstone
Advantages:
- Simple and straightforward
- Full control over each account
- Easy to customize per account
- No AWS Organizations requirement
Considerations:
- Manual process for each account
- Manageable at this scale
- Consider StackSets if you plan to grow beyond 10 accounts
Medium Organizations (10-50 Accounts)
Scenario: Growing organization with multiple teams, environments, and projects across dozens of accounts.
Recommended Approach: StackSet deployment with direct access
Configuration:
- Template:
direct-access-role-stackset.yaml
- Deployment: StackSet from management account
- Permissions: ReadOnlyAccess + additional permissions per OU
- External ID: Single External ID for all accounts (or unique per OU)
Deployment Steps:
- Organize accounts into OUs by environment or team
- Generate External ID(s)
- Deploy direct-access-role-stackset.yaml from management account
- Target root OU or specific OUs
- Configure permissions appropriate for each OU
- StackSet automatically deploys to all accounts
- Configure organization in Quiverstone with role ARN pattern and External ID
Advantages:
- Automated deployment to all accounts
- Consistent configuration
- Auto-deployment to new accounts
- Centralized management
Considerations:
- Requires AWS Organizations
- Same configuration per StackSet (use multiple StackSets for different configurations)
- Consider different StackSets for different OUs with varying permission needs
Variation - Multiple StackSets:
- Deploy one StackSet to development OU with ReadOnlyAccess
- Deploy another StackSet to production OU with PowerUserAccess
- Allows different permission levels per environment
Large Organizations (50+ Accounts)
Scenario: Enterprise organization with hundreds of accounts across multiple business units, regions, and environments.
Recommended Approach: Multiple StackSets with direct access, organized by OU structure
Configuration:
- Template:
direct-access-role-stackset.yaml (multiple instances)
- Deployment: Multiple StackSets targeting different OUs
- Permissions: Vary by OU and business unit requirements
- External ID: Unique per StackSet or per OU
Deployment Steps:
- Design OU structure aligned with business units and environments
- Define permission requirements per OU
- Generate External IDs per StackSet
- Deploy multiple StackSets:
- Development OU: ReadOnlyAccess
- Staging OU: PowerUserAccess
- Production OU: ReadOnlyAccess + SecurityAudit
- Infrastructure OU: SystemAdministrator
- Configure organization in Quiverstone with role patterns
Advantages:
- Scales to hundreds of accounts
- Granular control per OU
- Automated deployment and updates
- Consistent within each OU
Considerations:
- Requires well-designed OU structure
- Multiple StackSets to manage
- Document which StackSet applies to which OU
- Consider automation for StackSet management
Best Practices:
- Use consistent naming:
QuiverstoneDirectAccess-Dev, QuiverstoneDirectAccess-Prod
- Document StackSet to OU mappings
- Implement change control for StackSet updates
- Monitor StackSet deployment status
- Use CloudFormation drift detection
Highly Regulated Environments
Scenario: Financial services, healthcare, government, or other highly regulated industries with strict security and compliance requirements.
Recommended Approach: Chained access with intermediate account controls
Configuration:
- Templates:
trusted-intermediate-role.yaml + chained-access-role-stackset.yaml
- Deployment: Intermediate role in security account, StackSet for destination roles
- Permissions: Minimal required permissions (ReadOnlyAccess + specific additions)
- External ID: Unique External IDs for both intermediate and destination roles
- Trust: Named role trust (not account-level trust)
Deployment Steps:
- Designate or create a security/audit account as intermediate account
- Deploy trusted-intermediate-role.yaml to intermediate account:
- Use External ID
- Use
specific-role-any-account scope
- Specify destination role name
- Implement additional controls in intermediate account:
- CloudTrail logging
- CloudWatch alarms for role assumptions
- Optional: IP restrictions, time-based access
- Deploy chained-access-role-stackset.yaml to target accounts:
- Use External ID (can be different from intermediate)
- Use
Named trust (specific role, not account)
- Specify intermediate role name
- Configure minimal required permissions
- Configure chained access in Quiverstone
Advantages:
- Additional security layer through intermediate account
- Centralized access control and auditing
- Can implement custom security controls
- Meets requirements for environments prohibiting direct external trust
- Quick revocation by modifying only intermediate role
Security Enhancements:
- Enable CloudTrail in intermediate account with log file validation
- Set up CloudWatch alarms for unusual role assumption patterns
- Implement IP-based restrictions in intermediate role trust policy
- Use time-based access controls if needed
- Regular audit of intermediate role usage
- Separate External IDs for defense in depth
Compliance Considerations:
- Document the role chain for auditors
- Maintain audit logs for all role assumptions
- Implement least privilege permissions
- Regular access reviews
- Automated compliance checks
Multi-Organization Deployment
Scenario: Managing multiple separate AWS Organizations (e.g., acquired companies, partner organizations, separate business entities).
Recommended Approach: Chained access with separate intermediate roles per organization
Configuration:
- Templates: Multiple
trusted-intermediate-role.yaml + chained-access-role-stackset.yaml per org
- Deployment: One intermediate role per organization, StackSets within each organization
- Permissions: Vary by organization requirements
- External ID: Unique per organization
Deployment Steps:
- For each organization:
- Deploy intermediate role to a designated account in that organization
- Deploy chained-access-role-stackset to target accounts in that organization
- Use unique External IDs per organization
- Configure each organization separately in Quiverstone
- Maintain separate role chains per organization
Advantages:
- Isolation between organizations
- Independent security controls per organization
- Flexible permission models per organization
- Clear organizational boundaries
Considerations:
- More complex to manage multiple intermediate roles
- Document which intermediate role serves which organization
- Consider naming conventions to identify organization
- May need separate Quiverstone configurations per organization
Development and Testing Environments
Scenario: Separate AWS accounts for development, testing, and experimentation.
Recommended Approach: Individual deployment with browser access or direct access
Configuration:
- Template:
browser-access-role.yaml or direct-access-role.yaml
- Deployment: Individual to each dev/test account
- Permissions: AdministratorAccess or PowerUserAccess (broader permissions acceptable in dev/test)
- External ID: Optional for dev/test (required for direct access)
Deployment Steps:
- For browser access:
- Deploy browser-access-role.yaml
- Specify your AWS account as trusted account
- Enable broader permissions (PowerUserAccess or AdministratorAccess)
- For direct access:
- Deploy direct-access-role.yaml
- Use External ID
- Enable broader permissions
Advantages:
- Quick setup for development
- Broader permissions acceptable in non-production
- Easy to test and experiment
- Browser access provides familiar console experience
Considerations:
- Use different roles for dev/test vs production
- Don’t use browser access in production
- Consider separate External IDs for dev/test
- Document that these are non-production configurations
Disaster Recovery and Emergency Access
Scenario: Need for emergency access during incidents or disasters.
Recommended Approach: Pre-deployed direct access roles with AdministratorAccess, break-glass procedures
Configuration:
- Template:
direct-access-role.yaml
- Deployment: Individual or StackSet to all critical accounts
- Permissions: AdministratorAccess
- External ID: Highly secure, stored in break-glass procedure
- Role Name:
QuiverstoneEmergencyAccess (distinct from regular access)
Deployment Steps:
- Deploy separate emergency access roles to critical accounts
- Configure with AdministratorAccess
- Use highly secure External ID
- Store External ID in secure break-glass procedure
- Document emergency access procedures
- Do NOT configure in Quiverstone for regular use
Break-Glass Procedure:
- Emergency access roles are pre-deployed but not configured in Quiverstone
- During emergency, retrieve External ID from secure storage
- Configure emergency role in Quiverstone
- Use for emergency operations
- After emergency, remove configuration from Quiverstone
- Audit all actions taken during emergency
- Rotate External ID after use
Advantages:
- Pre-deployed for immediate use
- Full administrative access for emergency response
- Separate from regular access roles
- Clear audit trail
Security Considerations:
- Store External ID in highly secure location (physical safe, secure vault)
- Limit knowledge of External ID to authorized personnel
- Implement strict procedures for emergency use
- Mandatory audit after each use
- Rotate External ID after emergency use
- Consider time-based access controls
Troubleshooting
Common Issues and Solutions
Issue: “Access Denied” when assuming role
Symptoms: Quiverstone cannot assume the role, returns AccessDenied error
Possible Causes and Solutions:
-
Incorrect Trust Policy
- Check: Verify the trust policy allows the correct principal
- Direct Access: Should trust Quiverstone production account (684035162433)
- Chained Access: Should trust intermediate account or specific intermediate role
- Browser Access: Should trust your AWS account
- Solution: Update trust policy in IAM console or redeploy with correct parameters
-
External ID Mismatch
- Check: Verify External ID in Quiverstone matches the role’s trust policy
- Solution: Update External ID in Quiverstone or redeploy role with correct External ID
- Note: External ID is case-sensitive
-
Role Name Mismatch
- Check: Verify role ARN in Quiverstone matches the actual role ARN
- Solution: Copy role ARN from CloudFormation outputs or IAM console
- Note: Role names are case-sensitive
-
Intermediate Role Issues (Chained Access)
- Check: Verify intermediate role exists and is configured correctly
- Check: Verify intermediate role can assume destination role
- Solution: Test intermediate role assumption separately
- Solution: Verify destination role trusts intermediate role
-
Permission Boundary Restrictions
- Check: Verify no permission boundaries are restricting role assumption
- Solution: Review and adjust permission boundaries if present
Symptoms: Stack fails to create, rolls back with error
Possible Causes and Solutions:
-
Role Name Already Exists
- Error: “Role with name X already exists”
- Solution: Choose a different role name or delete existing role
- Check: Look in IAM console for existing roles
-
Insufficient Permissions
- Error: “User is not authorized to perform iam:CreateRole”
- Solution: Ensure you have IAM permissions to create roles
- Required Permissions: iam:CreateRole, iam:PutRolePolicy, iam:AttachRolePolicy
-
Invalid Parameter Values
- Error: “Parameter validation failed”
- Solution: Review parameter values for correct format
- Common Issues: Account IDs must be 12 digits, External ID max 1224 characters
-
StackSet Deployment Failures
- Error: “StackSet operation failed in some accounts”
- Solution: Check StackSet operations tab for per-account failures
- Solution: Review CloudFormation events in failed accounts
- Common Cause: Insufficient permissions in target accounts
Issue: Role exists but Quiverstone cannot discover accounts
Symptoms: Role assumption works but no accounts appear in Quiverstone
Possible Causes and Solutions:
-
Missing Organizations Permissions
- Check: Verify role has Organizations read permissions
- Solution: All access role templates include Organizations permissions by default
- Solution: If using custom role, add Organizations read permissions
-
Role Deployed to Wrong Account
- Check: For inventory, role should be in management account or delegated admin
- Solution: Deploy inventory role to correct account
- Note: Access roles can be in any account
-
Organizations Not Enabled
- Check: Verify AWS Organizations is enabled in the account
- Solution: Enable AWS Organizations if needed
Issue: StackSet not deploying to new accounts
Symptoms: New accounts added to OU don’t receive the role
Possible Causes and Solutions:
-
Auto-Deployment Not Enabled
- Check: Verify StackSet has auto-deployment enabled
- Solution: Update StackSet to enable auto-deployment
- Note: All templates enable auto-deployment by default
-
Account Not in Target OU
- Check: Verify new account is in an OU targeted by the StackSet
- Solution: Move account to target OU or update StackSet targets
-
StackSet Operation In Progress
- Check: Check StackSet operations tab for in-progress operations
- Solution: Wait for current operation to complete
- Note: StackSets process one operation at a time
-
Service-Managed Permissions Issue
- Check: Verify StackSet uses SERVICE_MANAGED permission model
- Solution: Ensure CloudFormation has Organizations integration enabled
- Solution: Check for service control policies blocking StackSet operations
Issue: Cannot update existing role
Symptoms: CloudFormation update fails or changes don’t apply
Possible Causes and Solutions:
-
Role Name Change Not Allowed
- Error: “Cannot update role name”
- Solution: Role name changes require replacement (delete and recreate)
- Workaround: Create new role with new name, update Quiverstone, delete old role
-
Managed Policy Conflicts
- Error: “Cannot attach policy”
- Solution: Check for policy attachment limits (10 managed policies per role)
- Solution: Reduce number of enabled permissions
-
Trust Policy Update Issues
- Check: Verify trust policy changes are valid
- Solution: Review trust policy syntax
- Solution: Ensure principal ARNs are correct
Issue: Chained access not working
Symptoms: Intermediate role works but cannot assume destination role
Possible Causes and Solutions:
-
Deployment Order
- Check: Verify intermediate role was deployed before destination role
- Solution: Deploy intermediate role first, then destination role
-
Trust Configuration Mismatch
- Check: Verify destination role trusts intermediate role
- Check: If using Named trust, verify intermediate role name matches
- Solution: Update destination role trust policy
- Solution: Redeploy with correct intermediate role name
-
External ID Mismatch
- Check: Verify both External IDs are configured correctly in Quiverstone
- Solution: Update Quiverstone configuration with correct External IDs
- Note: Intermediate and destination can have different External IDs
-
Intermediate Role Permissions
- Check: Verify intermediate role has permission to assume destination role
- Solution: Check intermediate role’s assume role scope configuration
- Solution: Ensure scope allows assuming the destination role
Validation Steps
Use these steps to validate your access role deployment:
Step 1: Verify Role Exists
# Using AWS CLI
aws iam get-role --role-name QuiverstoneDirectAccess
# Expected: Role details returned
# If error: Role doesn't exist or you don't have permissions
Step 2: Verify Trust Policy
# Get role trust policy
aws iam get-role --role-name QuiverstoneDirectAccess --query 'Role.AssumeRolePolicyDocument'
# Check:
# - Correct principal (Quiverstone account, intermediate account, or your account)
# - External ID present (if configured)
# - Correct External ID value
Step 3: Verify Attached Policies
# List attached managed policies
aws iam list-attached-role-policies --role-name QuiverstoneDirectAccess
# Expected: See enabled permission policies (ReadOnlyAccess, etc.)
Step 4: Test Role Assumption (Direct Access)
# Attempt to assume role (requires Quiverstone credentials)
aws sts assume-role \
--role-arn arn:aws:iam::ACCOUNT_ID:role/QuiverstoneDirectAccess \
--role-session-name test \
--external-id YOUR_EXTERNAL_ID
# Expected: Temporary credentials returned
# If error: Check trust policy and External ID
Step 5: Verify Organizations Permissions
# Test Organizations access (using assumed role credentials)
aws organizations describe-organization
# Expected: Organization details returned
# If error: Missing Organizations permissions
Step 6: Verify StackSet Deployment
# List StackSet instances
aws cloudformation list-stack-instances \
--stack-set-name quiverstone-direct-access-role
# Expected: List of accounts where role is deployed
# Check: Verify all expected accounts are present
Step 7: Check StackSet Operation Status
# List StackSet operations
aws cloudformation list-stack-set-operations \
--stack-set-name quiverstone-direct-access-role
# Check: Verify latest operation succeeded
# If failed: Check operation details for error messages
Debug Checklist
Use this checklist when troubleshooting access issues:
Basic Checks:
Trust Policy Checks:
Permission Checks:
Chained Access Specific:
StackSet Specific:
Configuration Checks:
Getting Help
If you continue to experience issues after following this troubleshooting guide:
-
Gather Information:
- Role ARN
- Error messages (exact text)
- CloudFormation stack events
- CloudTrail logs for AssumeRole attempts
- StackSet operation details (if applicable)
-
Check CloudTrail:
- Look for AssumeRole events
- Check for AccessDenied errors
- Review error messages for specific causes
-
Review CloudFormation Events:
- Check stack events for deployment errors
- Review StackSet operation details
- Look for per-account failure reasons
-
Contact Support:
- Provide gathered information
- Include role configuration details
- Describe steps already attempted
- Include relevant CloudTrail or CloudFormation logs
Security Best Practices
Custom Role Names
Always Change Default Role Names: Using default role names (like QuiverstoneDirectAccess) makes it easier for unauthorized parties to discover and potentially target your roles. Custom role names add an additional layer of security through obscurity.
- Use organization-specific prefixes:
MyCompany-Access-Production
- Include environment indicators:
CustomAccess-Prod, CustomAccess-Dev
- Avoid predictable patterns
- Document your naming convention securely
- Use consistent naming across all accounts
External ID Requirements
External ID is Required for Production: Never deploy production access roles without an External ID. This is your primary defense against confused deputy attacks and unauthorized role assumptions.
- Generate cryptographically secure random strings (minimum 32 characters)
- Use unique External IDs per role or per account
- Store External IDs in a secure password manager or secrets management system
- Never commit External IDs to version control
- Rotate External IDs periodically (quarterly or annually)
- Use different External IDs for intermediate and destination roles in chained access
Generation Examples:
# Using OpenSSL
openssl rand -base64 32
# Using Python
python3 -c "import secrets; print(secrets.token_urlsafe(32))"
# Using AWS Secrets Manager
aws secretsmanager get-random-password --password-length 32
Protecting Role Configurations from Inspection
Privilege Escalation Risk: If support or operational roles can view IAM role trust policies and permissions, they may be able to identify External IDs, understand trust relationships, and potentially escalate their privileges. Implementing role visibility restrictions is a critical security control.
Example Deny Policy
Apply this policy to roles that should NOT be able to view sensitive role configurations:
JSON Format:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyRoleInspection",
"Effect": "Deny",
"Action": [
"iam:GetRole",
"iam:GetRolePolicy",
"iam:ListRolePolicies",
"iam:ListAttachedRolePolicies"
],
"Resource": [
"arn:aws:iam::*:role/*Access*",
"arn:aws:iam::*:role/*Support*",
"arn:aws:iam::*:role/*Inventory*",
"arn:aws:iam::*:role/*Intermediate*"
]
}
]
}
DenyRoleInspectionPolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: DenyRoleInspection
PolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: DenyRoleInspection
Effect: Deny
Action:
- iam:GetRole
- iam:GetRolePolicy
- iam:ListRolePolicies
- iam:ListAttachedRolePolicies
Resource:
- arn:aws:iam::*:role/*Access*
- arn:aws:iam::*:role/*Support*
- arn:aws:iam::*:role/*Inventory*
- arn:aws:iam::*:role/*Intermediate*
Roles:
- TieredSupportRole
- OperationsRole
- DeveloperRole
Policy Explanation
- DenyRoleInspection: Prevents viewing role details, trust policies, and attached policies
- Resource Patterns: Adjust the patterns to match your custom role names
*Access*: Matches roles containing “Access”*Support*: Matches roles containing “Support”*Inventory*: Matches roles containing “Inventory”*Intermediate*: Matches roles containing “Intermediate”
- Actions Denied:
iam:GetRole: Prevents viewing role details including trust policy (where External ID is visible)iam:GetRolePolicy: Prevents viewing inline policiesiam:ListRolePolicies: Prevents listing inline policiesiam:ListAttachedRolePolicies: Prevents listing managed policies
Implementation Recommendations
- Apply to Support Roles: Attach this deny policy to all tiered support and operational roles that don’t need to manage IAM
- Customize Resource Patterns: Update the resource ARN patterns to match your custom role names
- Exclude Administrative Roles: Do NOT apply this policy to roles that legitimately need to manage IAM (security admins, IAM admins)
- Test Thoroughly: Verify the policy doesn’t block legitimate operations before deploying to production
- Document Exceptions: Clearly document which roles are exempt from this policy and why
- Use with StackSets: Deploy this policy organization-wide using CloudFormation StackSets
Additional Security Controls
CloudTrail Monitoring:
- Enable CloudTrail in all accounts
- Set up CloudWatch alarms for unusual role assumption patterns
- Monitor for failed AssumeRole attempts
- Alert on role assumption from unexpected IP addresses
Service Control Policies (SCPs):
- Use SCPs to enforce External ID requirements at the organization level
- Restrict role creation to approved patterns
- Prevent modification of critical security roles
Regular Access Reviews:
- Quarterly review of who has access to view IAM roles
- Annual review of all External IDs and role configurations
- Audit role assumption patterns for anomalies
- Review and update role permissions based on least privilege
Least Privilege Permissions:
- Start with ReadOnlyAccess and add permissions as needed
- Avoid AdministratorAccess unless absolutely required
- Use PowerUserAccess or SystemAdministrator for operational needs
- Regularly review and remove unused permissions
Network Controls (for highly sensitive environments):
- Add IP-based conditions to role trust policies
- Restrict role assumptions to known IP ranges
- Use VPC endpoints for API calls
- Implement time-based access controls
Security Checklist
Use this checklist when deploying access roles:
