Polaris Account Vending Portal

Checking authentication...

Demo Portal

Create a new AWS account in minutes.

Polaris Account Vending provides fast and governed AWS account creation.

This page is the new front-door concept for self-service account requests. It maps directly to our vending payload and governance flow.

What this demo covers now

Guided Request

Simple form fields matching account vending inputs and validation expectations.

Governed Defaults

Pre-filled OU and region intent aligned with our existing workflow baseline.

Identity Center Enrollment

New accounts are enrolled with IAM Identity Center group UAPP-AAD-AWSIAM-Admin.

Ready for Sign-in

Cognito login and JWT-protected API endpoints are now enforced.

New Account Request

Use a team-owned mailbox for account notifications.

Allowed: Swedish and Norwegian numbers only (+46 / +47).

Trust adds both the branch ref and the GitHub environment subject. Convention: develop -> refs/heads/develop + environment:develop, stage -> refs/heads/stage + environment:stage, production -> refs/heads/main + environment:production.

Run Remediations (Existing Account)

Enrollment uses existing IAM Identity Center group UAPP-AAD-AWSIAM-Admin and permission set AWSAdministratorAccess.

Refresh CDK Bootstrap (Existing Account)

Ireland and Virginia are PortalAdmin-only opt-in bootstrap targets.

Refreshes the target account CDKToolkit stack using the pinned bootstrap template version.

Manage Account Budget

New accounts receive a default 100 USD monthly cost budget with billing alerts sent to the SSO user email. Leave notification email blank when updating to keep the current recipient. PortalAdmin approval is required to set or update a budget above 100 USD.

Enable GitHub OIDC (Existing Account)

Owners are allowlisted to polaris-media and stampen. Normal runs set the first trusted repository/environment, or repeat the same trust idempotently. PortalAdmin can approve an additional trust exception or replace trust for correction.

What Gets Bootstrapped And Fixed

After a successful account create request, the workflow runs a fixed sequence plus baseline security remediations across governed regions.

Execution Flow (Lambdas + Step Functions)

  • 1. Validate request input in workflow Lambda: validate-request
  • 2. Start provisioning in management Lambda: start-provision
  • 3. Poll provisioning status: poll-provision
  • 4. Apply account metadata and contacts: apply-account-metadata
  • 5. Enroll account in IAM Identity Center admin group: apply-entra-group
  • 6. Start bootstrap stack in new account: start-bootstrap
  • 7. Poll bootstrap completion: poll-bootstrap
  • 8. Run security remediations in parallel across governed regions
  • 9. Optional standalone bootstrap refresh flow: AccountBootstrap-* (template version v30)

Controls And What They Fix

Control What It Applies Risk Reduced
IAM Identity Center Enrollment Assigns existing group UAPP-AAD-AWSIAM-Admin with AWSAdministratorAccess to the account Missing initial administrative access path for platform team
S3 Account Public Access Block Enables all four account-level S3 block settings Accidental public S3 data exposure
SSM Document Sharing Block Sets SSM public-sharing service setting to Disable Public exposure of SSM documents
Inspector Coverage Enables EC2, ECR, Lambda, and Lambda code scanning Missed vulnerability/code-risk detection
EC2 Snapshot Public Block Sets snapshot sharing state to block-all-sharing Public EBS snapshot data leakage
ECR Scan On Push Enables scan on push for all private ECR repositories Container images promoted without vulnerability checks
CDK Bootstrap Refresh (v30) Creates/updates CDKToolkit stack and bootstrap resources using pinned template version 30 Missing/outdated deployment roles, buckets, and trust policies for future CDK deployments