Skip to content

IAM & Access

At Playground Tech, we use various IAM roles to manage our customers' AWS Management Accounts. The roles follow strict access controls to ensure the security of our customers' data. Based on the ECAM model in the Cloud Management Program (CMP), we never access our customers' members accounts directly. Instead, we access the management account through specific roles, each with defined purposes and minimal permissions. To prevent privileged escalation, we also apply a Permissions Boundary to all users and roles, including customer-created ones, within the management account.

Admin_Playground_Tech

This role is used by the Playground Tech team to perform manual operations, such as opening support tickets with AWS, purchasing RI/SPs, and looking at logs for supporting services. The role can never be used unless MFA is present and access is kept at a minimum. This role can also be used to run scripts to maintain the solution.

Automation_Playground_Tech

Utilized for automating the setup and improvement of supporting services within the Playground environment. Assumed through GitHub Actions and OpenID Connect (OIDC), this role is not manually assumed by any Playground Tech team member. It can only be assumed from the GitHub Actions repository belonging to the specific customer and cannot be used from anywhere else. All code changes undergo peer review, and audit logs of changes and approvals are saved within GitHub.

ReadOnly_Playground_Tech

This role is used by the Playground Tech team to access cost and billing information while minimizing permissions to customer data. It provides read-only access to analyze cost data, monitor expenses, and track billing trends within the playground environment. Access requires MFA and is limited to authorized team members. The role does not allow modifications, ensuring a reduced level of permissions for the Playground Tech team.

Custodian_Boundary_Enforcer_Playground_Tech

Used with Custodian Cloud to create automations that enforce security policies within the AWS Management Account. This role supports various security measures, including monitoring, alerting, and managing IAM permissions.

vantage_cross_account_connection

Allows Vantage to read cost and usage report data in a specific S3 bucket, ensuring that Vantage can operate as intended.

ClickHouseAccessRole-pgt-cur-access

This role grants the Playground Tech team access to cost and usage report data in S3 for data analysis purposes. It enables the team to perform data analysis while ensuring access is restricted to the necessary resources.