I'm working on implementing our SaaS within a client's AWS account using a CloudFormation template that the client will deploy to create a role with the necessary permissions and policies (ReadOnlyAccess). What are some common challenges or considerations we should keep in mind to ensure a smooth setup for the client?
3 Answers
You might also want to consider using an external identifier for extra security. When creating the policy, it can be beneficial to tailor it for specific resources instead of giving broad access.
Having your client create the role for you to assume is definitely a good practice. One important thing to consider is adding an external ID for an extra layer of security when assuming the role. I usually provide clients with a YAML-formatted CloudFormation template to create the role, and I make sure to explain it thoroughly. It’s essential to document what the role does and how they can revoke access if needed. Just remember, external access can feel a bit daunting for some clients, so a clear and patient approach is key! Also, be sure to discuss if ReadOnlyAccess is sufficient or if you could create a more restricted custom policy, as some things might still be visible that shouldn't be.
One of the main hurdles is often getting the customer to provide you with the role ARN or just their account ID after they deploy the stack. Sometimes it can turn into a lengthy back and forth!

Related Questions
How To Get Your Domain Unblocked From Facebook
How To Find A String In a Directory of Files Using Linux