Scheduled downtime for HUIT's Atlassian Tools, including JIRA, Confluence and FishEye/Crucible, is 6 - 8 pm on Wednesdays. Avoid data losses during this weekly maintenance window by saving drafts and logging out. Confluence 6.14 upgrade completed on 29 May 2019. Call 617 495 7777 for help, or send e-mail to jirahelp@fas.harvard.edu. NOTE: We have partially disabled the image-export function in HUIT Confluence; therefore, Wiki pages exported to MS Word will not include their images.
Skip to end of metadata
Go to start of metadata

AWS IAM Resource Naming Standards

AWS Resource

Resource Name

Comment

Example

IAM User

All normal access should be through Common Authentication at this point unless they are single purpose or service accounts (which should only be used if roles are not available)


Administrators:

first_last

Service Accounts:

service_name

IAM user names should mirror the users @harvard.edu email address



robert_ruma

thomas_vachon

cloud_endure

IAM Group

{{appname_construct}} - {{group_purpose}} -  iam - group


Note: There will be a standard naming structure for account level group resources:

{{account_naming_construct}} - {{group_purpose}} - {{access_level}} -  iam - group

Application group purpose can be one of the following:

  • readonly
  • poweruser
  • administrator


Account level group purpose can be one of the following:

  • forcemfa
  • cloudendure
  • administrator

Option account level group access can be one of the following:

  • administrator
  • poweruser
  • readonly
  • isolated-by-tag


takeasweater-prod-readonly-iam-group

takeasweater-dev-administrator-iam-group




admints-dev-standard-forcemfa-iam-group

IAM Role (via SAML)

{{account_naming_construct}} saml - {{group_purpose}} -  iam - role@us-east-1


Note: There will be a standard naming structure for app level roles resources:

{{appname_construct}} saml - {{group_purpose}} -  iam - role@us-east-1

Account group purpose can be one of the following:

  • admin
  • poweruser
  • readonly
  • (More can be added as required)


Account level group purpose can be one of the following:

  • fullaccess
  • readonly


cloudhacks-dev-standard-saml-admin-iam-role@us-east-1




takeasweater-prod-saml-readonly-iam-role@us-east-1


IAM Roles{{appname_construct}} - {{role_purpose}} -  iam - role

Role Purpose can be one of the following:

  • autodeploy
  • s3access
  • securitymonkey
  • datapipeline
  • ebssnapshot
  • lambdaexecute




takeasweater-prod-autodeploy-iam-role

takeasweater-dev-s3access-iam-role

Instance Role{{appname_construct}} - {{role_type}} -  iam - ec2role

Role Purpose can be one of the following:

  • app

  • web

  • cache

  • master

  • worker

  • nfs


takeasweater-prod-app-iam-ec2role

takeasweater-dev-cache-iam-ec2role

IAM Policy

{{appname_construct}} - {{product_used}} -  {{level_of_access}} - iam - policy



 

Note: There will be a standard naming structure for account level policy resources:

 

{{account_naming_construct}} - {{product_used}} -  {{level_of_access}} -  iam - policy


Product Used must be one of the AWS product names such as:

  • ec2
  • s3
  • lambda
  • codedeploy
  • sqs

Account level product names can be one of the following:

  • securitymonkey
  • osaccounts
  • cloudendure
  • cfoutputs

Level of Access must be one of the following:

  • readonly
  • readwrite
  • isolated-by-tag
takeasweater-prod-s3-readwrite-iam-policy

takeasweater-dev-codedeploy-readonly-iam-policy





Note: Instance profiles are a collection of policies added to a role

KMS

{{appname_construct}} {{scope}} {{type}} kms

Context should be one of:

  • standard

  • level4 (for Level 4 Data)

  • bcdr (only for bcdr exclusive accounts)


Type should be one of:

  • ebs
  • rds
  • snowball
  • s3
  • redshift
  • codecommit
  • cloudtrail
  • elastictranscoder
  • ses


takeasweater-dev-standard-rds-kms

takeasweater-prod-standard-ebs-kms

 SSL Certificates (for ELB or Cloudfront)


{{appname_construct}} - {{product_used}} {{certificate_type}} - {{certificate_expiry}} - sslcert


These items are treated internally as IAM resources and therefore must be named appropriately

Product Used must be one of the following AWS product names:

  • elb
  • cloudfront

Certificate Type should be one of the following:

  • domain
  • wildcard
  • san


Certificate Expiry should be in the format "YYYYMM"


takeasweater-dev-elb-domain-201601-sslcert

takeasweater-prod-cloudfront-wildcard-201601-sslcert


Azure User and Group Resource Naming Standards

Azure Resource

Resource Name

Comment

Example

IAM User (Service Account)

Service Accounts:

service_name

User based identities are available via Harvard's ADFS system only

This is configured in AAD → App Registrations

cloud_endure

IAM Roles (for end-users){{account_naming_construct}} - {{role_purpose}} -  iam - role

Role Purpose can be one of the following:

  • network
  • compute
  • admin
  • readonly
admints-dev-standard-network-iam-role

admints-dev-standard-admin-iam-role

Virtual Machine Managed Service Identity{{appname_construct}} - {{role_type}} -  iam - vmmsi

Role Purpose can be one of the following:

  • app

  • web

  • cache

  • master

  • worker

  • nfs


takeasweater-prod-app-iam-vmmsi

takeasweater-dev-cache-iam-vmmsi

KeyVault

{{appname_construct}} {{scope}} {{type}} keyvault

Context should be one of:

  • standard

  • level4 (for Level 4 Data)


takeasweater-dev-standard-kms

takeasweater-prod-standard-kms

KeyVault Key

{{appname_construct}} {{scope}} {{type}} keyvault

Context should be one of:

  • standard

  • level4 (for Level 4 Data)

Type should match the usage for the key:

  • storageaccount
  • disk
  • mssql


takeasweater-dev-standard-storageaccount-key

takeasweater-prod-standard-disk-key