Permission Boundaries for AI Workload Teams

Question

Pulumi · Accepted Answer

To set up permission boundaries for AI workload teams, we'll use Pulumi to define and assign the necessary permissions to the team's AWS environment. Here, I'll demonstrate how to create an SSO permission set with a permissions boundary using AWS resources. The permissions boundary acts as a mechanism to delegate permissions for a specific team to manage their AI workloads without granting them more access than necessary.

In this example, we'll be using the `aws.ssoadmin.PermissionSet` resource to define a set of permissions, and `aws.ssoadmin.PermissionsBoundaryAttachment` to associate the permission boundary policy with the permission set. The permission set defines what actions team members are allowed to perform, and the permission boundary ensures that they cannot exceed the permissions defined by the policy attached as the boundary.

Before running the Pulumi code, ensure that you've configured your AWS credentials properly and selected the desired AWS region.

Here's a Python program using Pulumi to create these resources:

```python
import pulumi
import pulumi_aws as aws

# Configuration: Replace these variables with the appropriate values from your AWS environment.
sso_instance_arn = "arn:aws:sso:::instance/ssoins-EXAMPLE12345"
managed_policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess"  # The ARN of the policy to be used as a permissions boundary

# Create an AWS SSO Permission Set
permission_set = aws.ssoadmin.PermissionSet("aiWorkloadPermissionSet",
    description="Permission set for AI workload team",
    instance_arn=sso_instance_arn,
    session_duration="PT2H",
    relay_state="https://example.com",  # Update this to the relay state URL as needed
    tags={
        "Team": "AIWorkloadTeam",
    })

# Attach the permissions boundary policy to the AWS SSO Permission Set
permission_boundary_attachment = aws.ssoadmin.PermissionsBoundaryAttachment("aiWorkloadPermissionsBoundaryAttachment",
    instance_arn=sso_instance_arn,
    permission_set_arn=permission_set.arn.apply(lambda arn: arn),
    permissions_boundary={
        "managed_policy_arn": managed_policy_arn,
    })

# Export the ARN of the Permission Set
pulumi.export("permission_set_arn", permission_set.arn)

# Export the ARN of the Permissions Boundary Attachment
pulumi.export("permission_boundary_attachment_arn", permission_boundary_attachment.id)
```

This program starts by importing the Pulumi AWS SDK. It then defines the ARNs for the SSO instance and the managed policy used as a permission boundary. Next, a permission set is created with a specified session duration, relay state, and tags using `aws.ssoadmin.PermissionSet`. The `aws.ssoadmin.PermissionsBoundaryAttachment` resource then associates the managed policy ARN with the permission set ARN, effectively applying the boundary to the permission set.

After running this Pulumi program, you'd have an AWS SSO permission set with a permissions boundary attached to it. This enforces a maximum set of permissions team members can use, a best practice for least privilege access control.

The resulting permission set ARN and permission boundary attachment ARN are exported so they can be referenced elsewhere in your infrastructure or in other Pulumi stacks if necessary.

For more information or detailed documentation about the resources used in the example, you can refer to the following:

- [aws.ssoadmin.PermissionSet](https://www.pulumi.com/registry/packages/aws/api-docs/ssoadmin/permissionset/)
- [aws.ssoadmin.PermissionsBoundaryAttachment](https://www.pulumi.com/registry/packages/aws/api-docs/ssoadmin/permissionsboundaryattachment/)