Utilize our 'Authorizer' method of approval rather than 'Approver'.
This only requires a single person to approve the action rather than all.
See below details regarding Approvers and Authorizer's:
⦁ Approvers: Responsible for validating that a requested action is acceptable. When an action is triggered, they receive an email notification through which they must approve the action. Upon approval, the action passes to the next Approver in the sequence.
⦁ Authorizer: After all Approvers have signed off on the action, the request is sent to an Authorizer to provision a temporary least privilege token that allows the token bearer to make a request using the AWS Security Token Service. The platform uses this token to perform an action on behalf of the user.
Setup Actions
1. Select Setup > Governance > Actions to view preconfigured actions that
You can add one or more authorizers to these preconfigured actions by clicking Update.
2. Alternatively, create your own actions to build a chain of approvers and authorizers. Click Create Action.
3. Create a sequence of events that make up the action.
Considerations
- If you have multiple approvers set up on a custom action, an approval email will be sent to only the first email listed. The platform will not next seek the approval of the next person listed until that first person approves it. Only if all approvers approve a request will the platform execute the action.
- Policies can involve complex workflows, sometimes including authorizers and approvers. When creating a policy with one of these, they receive an email/notification prompting them to approve or authorize the action/step in the policy rule once it has been triggered. Once the authorizer/approver has received the email/notification, they have 3 days to approve or authorize the action.
- Incomplete approvals and authorizations can lead to a status of "pending" in some menus, including the health check status.
- The user may not have the appropriate AWS permissions to carry out the action in the policy.
- When setting up a policy to follow the authorizer workflow, meaning it is not a fully automatic action, the Authorizer is sent to AWS to retrieve their secure access token. This token is a representation for the platform to perform the action on behalf of that user. We are not using platform IAM policy to preform the action, we are using the user's IAM policy. In other words, if an action in a policy is configured for an authorizer to accept an action but that user account within AWS doesn't have access to the infrastructure the action is based on, the policy will not work as expected.
- The On/Off button for actions in the setup does not have any function other than editing the generated policy to include the necessary permissions to accomplish the action automatically via the platform.