/AWS-ChangeManager-PAM

Just enough PAM, using only AWS services

Primary LanguagePython

PAM in AWS using AWS Change Manager

This repo is the companion to Just enough PAM.

It creates

  • A Lambda that creates and modifies an IAM Role that serves as a privileged role
  • An IAM Role with privileges, in this case EC2Describe
  • An Automation Document, that invokes our Lambda
  • A Change Template

This is what the process looks like.

PAM Process

Get Started

  1. An AWS Account in an AWS Organization. Alternatively make sure to remove the condition from the PAMTrustPolicy.json
  2. A user pool for AWS Change Manager by going to Change Manager Settings for this demo we will a user Template_Manager . You can change this at the Change Template
  3. Create a change template using this Change Template by pasting into the editor..
  4. You can now Deploy the Lambda and Automation Document.
  5. You can create a Change Request and have the Template_Manager user created in step 2, approve it.

Deploy

npm install serverless@2.31.0
cd PAM
serverless deploy --stage="dev" -v

🎉

Remove

serveless remove --stage="dev" -v