Introduction
Some Cornell AWS account owners want to give their teams full access to their AWS account, with the exception of AWS Marketplace. The resources described here can help do that.
One situation where these resources would be helpful is when a Cornell AWS account has research credits from AWS and the account owners wants to ensure that AWS Marketplace offerings are not purchased, since such products cannot be covered by AWS credits.
Description
The CloudFormation template at cu-aws-cloudformation/marketplace-iam creates two resources:
- An IAM policy (deny-marketplace-changes-policy) that prevents making changes to the AWS Marketplace, including purchasing subscriptions
- An IAM role (shib-admin_no_market) that combines the deny-marketplace-changes-policy policy with the built-in AdministratorAccess policy to create a role that has broad privileges in AWS, but does not allow Marketplace changes.
Note that this policy and IAM role serve only as first-order safeguards. A savvy AWS user can fairly easily contrive to bypass this policy and role.
Deployment
- In the target AWS account, create a new CloudFormation stack using the template.yaml file.
- Create an Active Directory group that contains the people you wish to have access to the shib-admin_no_market role in your AWS account.
- Make a request to cloud-support@cornell.edu asking that the shib-admin_no_market role be configured for use by your AWS account. Optionally, request that a similar AWS SSO role be created as well. Be sure to provide the name of the AD group you created above.
- Once the Cloud Team confirms that the shib-admin_no_market group and/or the AWS SSO role is enabled, ask your team to begin using the new role(s) when using your AWS account.