AWS
AWS resources follow the same prv-{team}-{type}-{qualifier} pattern, adapted to AWS constructs.
Identity Center (IDC)
Section titled “Identity Center (IDC)”AWS Identity Center (formerly SSO) permission sets and groups map to our role nomenclature:
prv-{owner}-role-aws-idc[-{scope}][-{env}]-{perm}| Role Group | Permission Set | Purpose |
|---|---|---|
prv-plt-role-aws-idc-prd-admin | AdministratorAccess | Production admin |
prv-plt-role-aws-idc-stg-admin | AdministratorAccess | Staging admin |
prv-eng-role-aws-idc-dev-developer | PowerUserAccess | Dev environment developer |
prv-fin-role-aws-billing-read | BillingReadOnly | Billing read-only |
prv-sec-role-aws-idc-prd-read | SecurityAuditAccess | Security audit read |
Organizations
Section titled “Organizations”| Role Group | Purpose |
|---|---|
prv-plt-role-aws-org-admin | AWS Organizations management |
prv-fin-role-aws-org-billing | Organization billing access |
Account Naming
Section titled “Account Naming”AWS accounts follow this naming pattern:
{ORG}-{purpose}[-{env}]| Account | Purpose |
|---|---|
prv-root | Management account (Organizations root) |
prv-security | Security tooling (GuardDuty, SecurityHub) |
prv-logging | Centralized logging |
prv-shared-services | Shared infrastructure |
prv-workloads-prd | Production workloads |
prv-workloads-stg | Staging workloads |
prv-workloads-dev | Development workloads |
prv-sbx | Sandbox/experimentation |
Tagging Convention
Section titled “Tagging Convention”All AWS resources should be tagged with standard keys:
| Tag Key | Example Value | Purpose |
|---|---|---|
org | prv | Organization identifier |
team | plt, eng, sec | Owning team |
env | prd, stg, dev, sbx | Environment |
purpose | ci-runner, monitoring | What this resource does |
cost-center | plt, eng | Chargeback/showback |
Shared Admin Account
Section titled “Shared Admin Account”prv-plt-admin-aws@{domain}The AWS root account email. Credentials in vault with two-person access. Used only for:
- Initial Organizations setup
- Emergency breakglass
- Account recovery
Day-to-day admin work goes through Identity Center with time-boxed role grants.
Guardrails
Section titled “Guardrails”- Never use the root account for daily operations.
- All access via Identity Center role groups.
- Production admin roles time-boxed to 30 days max.
- Billing access separate from infrastructure access.
- All accounts in Organizations (no standalone accounts).