Say you have 2 AWS accounts, 1 for dev & 1 for prod. Now in most cases, devs have no access to prod & that’s how it should be. But when things break in prod, it would help to let the devs take a look in there. But that doesn’t mean that you give devs permanent access to prod. You wanna give them access when required & revoke it right after.
You can use IAM roles & policies to achieve this. Start by creating an IAM role in prod that has all the permissions that the devs would need, when they’re granted access, in the event of a prod outage. The role creation would look like this:
Now that that’s in place, all you have to do when the devs need prod access, is to let the devs IAM group in the dev account assume this role by granting them the sts:AssumeRole permission. When it’s time to revoke their permissions, simply remove this 1 sts:AssumeRole statement from their IAM policy. The process of granting the permission would look something like this:
And that would in-turn add this statement to the dev’s IAM policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": [
"arn:aws:iam::123456789012:role/devs-in-prod"
]
}
]
}
Harish KM 