Skip to main content

Support access to AWS

When you open a technical support request with DoiT, we may occasionally need access to your AWS accounts to help you effectively. DoiT provides complete transparency when accessing your Amazon Web Services (AWS) accounts.

Key points

  • We leverage the AWS user federation broker mechanism for temporary read-only access to your environments.

    • We only access your AWS accounts to provide technical support per our contractual obligations. We never access your AWS accounts for any other reason.

    • Support engineers do not have write access to your AWS accounts. The only exception is that we are able to raise AWS support requests on your behalf.

  • Access logs retention to your environments on our platform is 30 days. You can use AWS CloudTrail for a complete log of every action that we perform on your accounts.

  • We establish the access trust domain perimeter through cryptographic means at the code level to ensure that only DoiT has access to your environments from well-known and secure entrypoints.

Grant access

To grant federated access to DoiT support engineers, you must configure the following resources on each of your AWS accounts:

  • Two AWS IAM Identity providers to federate DoiT-managed identities.

  • One AWS IAM support role named DoiT-Support-Gateway to allow access from the identities mentioned above.

As these resources are global, you may install them in any AWS region.

Required permissions

To create the aforementioned technical prerequisites, you must log in with an IAM user or assume an IAM role that has at least the IAM permissions defined in the IAM policy below:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:CreateRole",
"iam:DeleteRole",
"iam:GetRole",
"iam:ListRoles",
"iam:UpdateRole",
"iam:TagRole",
"iam:UntagRole",
"iam:CreateOpenIDConnectProvider",
"iam:UpdateOpenIDConnectProviderThumbprint",
"iam:GetOpenIDConnectProvider",
"iam:ListAttachedRolePolicies",
"iam:ListOpenIDConnectProviders",
"iam:AttachRolePolicy",
"iam:DetachRolePolicy",
"iam:PutRolePolicy",
"iam:GetRolePolicy",
"iam:ListRolePolicies",
"iam:DeleteRolePolicy",
"iam:UpdateAssumeRolePolicy"
],
"Resource": [
"arn:aws:iam::CUSTOMER_AWS_ACCOUNT_ID:role/*",
"arn:aws:iam::CUSTOMER_AWS_ACCOUNT_ID:oidc-provider/*"
]
}
]
}

Resource creation

Note

You must create the required resources on each of your AWS accounts.

We recommend that you create the resources through our AWS Cloud Formation provided quick-create link.

Alternatively, you can manually create the resources using one of the following methods.

Follow the step-by-step AWS Cloud Formation Stack creation instructions, and on the final screen, acknowledge the Named IAM resources warning.

Note

During the step-by-step process, don't make any change to the provided values, or the process may fail.

Additional information

  • You are free to grant any permission to the DoiT-Support-Gateway IAM role, the ones suggested above are the ones we recommend to cover most, if not all, support use cases. The decision to explicitly grant granular access to DoiT support to your accounts ultimately lies with you. Note that we enforce AWS session policies at the application level to ensure the permissions you granted are solely restricted to read-only and opening support tickets on your behalf.

  • You can leverage the DoiTEnvironment AWS IAM Principal session tag within the IAM conditions of your own Resource-based AWS IAM Policies to further restrict the resources accessible to DoiT.

    We may support custom AWS IAM Session Principal Tags in the future so you can integrate DoiT with your existing IAM tag-based access control security strategy. Feel free to reach out if you would like to have this feature prioritized.