Skip to main content Link Menu Expand (external link) Document Search Copy Copied

Prerequisites & setup

Prerequisites

AWS Organizations

  • AWS Organizations managed multi account environment with AWS IAM Identity Center federated account access

    TEAM cannot be used to perform the following tasks:

    • Grant temporary access to the management account
    • Manage permission sets provisioned in the management account

    Read the security considerations section for more information.

Permission set

  • Configure Permission sets in IAM Identity center.

    You can either use a predefined permission set provided by Identity Center, or you can create your own permission sets using custom permissions in order to provide least-privilege access for particular operational tasks.

Dedicated TEAM account

  • Dedicated AWS account for deploying TEAM Application. This account will also be configured as delegated admin for:
    • IAM Identity Center
    • CloudTrail Lake
    • Account management

    As per AWS best practice, it is not recommended to deploy resources in the organization management account. Designate a dedicated account for deploying the TEAM solution. We recommend that you do not deploy any other workloads in this account, and carefully manage users with access to this account based on a need-to-do principle.

Cloudtrail Lake organization event datastore

TEAM uses AWS CloudTrail Lake for querying, auditing and logging API activities and actions performed by a user during the period of elevated access. Create a Cloudtrail Lake organization event datastore in the dedicated TEAM account that stores all log events for all AWS account in your organization

AWS Secrets Manager

TEAM allows you to use external repositories for deploying the solution. Create a secret in AWS Secret Manager containting your repository url and Access token in Secrets manager as shown below

custom

TEAM groups

  • Create groups within AWS IAM Identity center for TEAM admins and TEAM auditors. These groups can be created locally (In Identity center) or synchronised from an external identity provider following your organisation’s group membership review and attestation process.

    Refer to the solution overview for more information on TEAM personas and groups

Development environment setup

  • Setup awscli and install git-remote-codecommit on your local workstation

  • Install jq on your local workstation

  • Setup a named profile for AWS CLI with sufficient permissions for the Organization management account

  • Setup a named profile for AWS CLI with sufficient permissions for the AWS account where the TEAM Application will be deployed in

    You can use AWS CloudShell instead of the first two steps of setting up awscli, git-remote-codecommit, and jq on a local workstation.

🚀 You can now Deploy the Application.