Introduction
CloudFix provides powerful access control capabilities that allow administrators to manage permissions with precision. This guide explains how to use role-based access control (RBAC) and resource-level access controls to secure your CloudFix environment.
Understanding Access Control in CloudFix
CloudFix offers two complementary approaches to manage access:
- Role-Based Access Control (RBAC): Assigns specific permissions to users based on predefined roles
- Resource-Level Access Control: Restricts which AWS resources users can view and manage
Together, these systems ensure users have exactly the access they need—no more, no less.
User Roles
CloudFix provides four predefined roles with increasing levels of permissions:
| Role | Description | Use Cases |
|---|---|---|
| Reader | Read-only access to resources and reports | Auditors, Finance reviewers, Compliance teams |
| Resource Manager | Can view and manage resources | DevOps engineers, Platform teams |
| Runbook Manager | Can approve and manage runbooks | Operations managers, Team leads |
| Tenant Administrator | Full access to all features | Cloud administrators, IT managers |
What Each Role Can Access
Reader
- View resources and recommendations
- Access cost and savings reports
- View dashboard and analytics
Resource Manager (includes Reader permissions, plus)
- Execute recommendations
- Manage resources
- Access AWS account information
Runbook Manager (includes Resource Manager permissions, plus)
- Approve runbooks
- Manage templates
- Oversee change management
Tenant Administrator (full access)
- Manage users and roles
- Configure tenant settings
- Access all system features
Setting User Roles
Assigning a Role to a New User
- Navigate to Settings → Users
- Click Add User
- Enter the user's information
- Select the appropriate role from the dropdown menu
- Click Save
Changing an Existing User's Role
- Navigate to Settings → Users
- Find the user in the list and click Edit
- Select the new role from the dropdown menu
- Click Save
Resource-Level Access Controls
For more granular control, CloudFix allows administrators to restrict which AWS resources users can access, regardless of their role.
Access Control Options
Resource access can be limited by:
- Organizational Units (OUs): Restrict access to specific OUs in your AWS organization
- AWS Accounts: Limit access to specific AWS accounts
- Regions: Control access by AWS regions
- Resource Tags: Filter resources based on their tags
Configuring Resource Access Controls
- Navigate to Settings → Users
- Find the user in the list and click Edit
- Scroll to the Resource Access Control section
- Configure the desired restrictions:
- Select OUs from the dropdown
- Select specific AWS accounts
- Choose allowed regions
- Add tag key-value pairs
- Click Save
How Resource Filters Work
- If no filters are set, the user can access all resources (based on their role permissions)
- When filters are applied, the user can only access resources that match ALL the specified criteria
- Filters are combined with role-based permissions (a user needs both the role permission AND resource access)
Examples and Use Cases
Example 1: Development Team Access
Scenario: Your development team needs to manage resources but only in development accounts.
Solution:
- Assign the Resource Manager role to development team members
- Apply account filters to limit access to development accounts only
Example 2: Regional Compliance
Scenario: Compliance requirements dictate that EU-based employees should only access EU-region resources.
Solution:
- Assign appropriate roles based on job functions
- Apply region filters to limit access to EU regions only (eu-west-1, eu-central-1, etc.)
Example 3: Project-Based Access
Scenario: Project teams should only see resources related to their projects.
Solution:
- Ensure all resources are tagged with project identifiers
- Apply tag filters to limit access to resources with specific project tags
Troubleshooting Access Issues
User Cannot See Expected Resources
Possible causes:
- User's role doesn't have permission to view those resources
- Resource filters are restricting access
- Resources don't match the configured filter criteria
Resolution steps:
- Verify the user's assigned role
- Check if resource filters are configured
- Confirm resources have the expected tags/are in the expected accounts or regions
User Cannot Perform Actions
Possible causes:
- User's role doesn't have permission for that action
- The action requires a higher-level role
Resolution steps:
- Review the permissions of the user's assigned role
- Upgrade the user's role if necessary
- Check if the action is being attempted on a resource outside their access control filters
Best Practices
- Follow the Principle of Least Privilege: Assign the minimum necessary permissions
- Use Tags Consistently: Establish a tagging strategy to enable effective filtering
- Audit Regularly: Review user roles and access controls periodically
- Document Role Assignments: Maintain documentation of who has what access and why
- Limit Tenant Administrators: Minimize the number of users with full access
Additional Resources
FAQs
Q: Can a user have different access levels for different resources?
A: Yes, by using resource filters, you can give users different levels of access to different resources while maintaining a consistent role.
Q: What happens if a resource matches some filters but not others?
A: To be accessible, a resource must match ALL configured filters for a user. If any filter doesn't match, the resource won't be visible.
Q: Can I create custom roles?
A: Currently, CloudFix provides four predefined roles. Custom roles are not supported at this time.
Q: Do resource filters affect API access?
A: Yes, resource filters apply to both the UI and API access, ensuring consistent security enforcement.
Bill Gleeson
Comments