Compliant-friendly AWS user commands #355
Description
Overview
Throughout AWS modules in the Nullstone catalog, AWS IAM Users are created with limited permissions to perform AWS commands on behalf of the user. (e.g. push, deploy, ssh, get logs, etc.)
Creating IAM users creates additional compliance burden for teams because most policies require associating this IAM User with a real user.
Instead, the modules should create an IAM role and allow the Nullstone agent to assume role.
Details
When a user performs a command (e.g. nullstone deploy), Nullstone verifies whether they can perform that action. Then, Nullstone performs AssumeRole with the requesting user identified on the AssumeRole info. This way, the requesting user is captured in the audit trail while adhering to compliance policies.