# AWS-ADMIN Account & Superuser Audit Report **Date**: December 20, 2025 **Scope**: Complete audit of aws-admin account, superuser permissions, and special configurations **Environment**: Production IGNY8 Platform --- ## Executive Summary The **aws-admin** account is a special system account with elevated privileges designed for platform administration, development, and system-level operations. This audit documents all special permissions, configurations, and security controls associated with this account. ### Current Status - **Account Name**: AWS Admin - **Account Slug**: `aws-admin` - **Status**: Active - **Plan**: Internal (System/Superuser) - unlimited resources - **Credits**: 333 - **Users**: 1 user (developer role, superuser) - **Created**: Via management command `create_aws_admin_tenant.py` --- ## 1. Backend Configuration ### 1.1 Account Model Special Permissions **File**: `backend/igny8_core/auth/models.py` **System Account Detection** (Line 155-158): ```python def is_system_account(self): """Check if this account is a system account with highest access level.""" return self.slug in ['aws-admin', 'default-account', 'default'] ``` **Special Behaviors**: - ✅ **Cannot be deleted** - Soft delete is blocked with `PermissionDenied` - ✅ **Unlimited access** - Bypasses all filtering restrictions - ✅ **Multi-tenant access** - Can view/edit data across all accounts **Account Slug Variants Recognized**: 1. `aws-admin` (primary) 2. `default-account` (legacy) 3. `default` (legacy) --- ### 1.2 User Model Special Permissions **File**: `backend/igny8_core/auth/models.py` **System Account User Detection** (Line 738-743): ```python def is_system_account_user(self): """Check if user belongs to a system account with highest access level.""" try: return self.account and self.account.is_system_account() except (AttributeError, Exception): return False ``` **Developer Role Detection** (Line 730-732): ```python def is_developer(self): """Check if user is a developer/super admin with full access.""" return self.role == 'developer' or self.is_superuser ``` **Site Access Override** (Line 747-755): ```python def get_accessible_sites(self): """Get all sites the user can access.""" if self.role in ['owner', 'admin', 'developer'] or self.is_superuser or self.is_system_account_user(): return base_sites # ALL sites in account # Other users need explicit SiteUserAccess grants ``` --- ### 1.3 Admin Panel Permissions **File**: `backend/igny8_core/admin/base.py` **QuerySet Filtering Bypass** (8 instances, Lines 18, 31, 43, 55, 72, 83, 93, 103): ```python if request.user.is_superuser or (hasattr(request.user, 'is_developer') and request.user.is_developer()): return qs # No filtering - see all data ``` **Special Privileges**: - ✅ View all objects across all accounts - ✅ Edit all objects across all accounts - ✅ Delete all objects across all accounts - ✅ Access all admin models without filtering --- ### 1.4 API Permissions **File**: `backend/igny8_core/api/permissions.py` #### HasTenantAccess Permission **Bypass Conditions** (Lines 54-68): 1. `is_superuser == True` → ALLOWED 2. `role == 'developer'` → ALLOWED 3. `is_system_account_user() == True` → ALLOWED #### IsSystemAccountOrDeveloper Permission **File**: `backend/igny8_core/api/permissions.py` (Lines 190-208) ```python class IsSystemAccountOrDeveloper(permissions.BasePermission): """ Allow only system accounts (aws-admin/default-account/default) or developer role. Use for sensitive, globally-scoped settings like integration API keys. """ def has_permission(self, request, view): account_slug = getattr(getattr(user, "account", None), "slug", None) if user.role == "developer": return True if account_slug in ["aws-admin", "default-account", "default"]: return True return False ``` **Usage**: Protects sensitive endpoints like: - Global integration settings - System-wide API keys - Platform configuration #### Permission Bypasses Summary | Permission Class | Bypass for Superuser | Bypass for Developer | Bypass for aws-admin | |-----------------|---------------------|---------------------|---------------------| | HasTenantAccess | ✅ Yes | ✅ Yes | ✅ Yes | | IsViewerOrAbove | ✅ Yes | ✅ Yes | ✅ Yes (via developer) | | IsEditorOrAbove | ✅ Yes | ✅ Yes | ✅ Yes (via developer) | | IsAdminOrOwner | ✅ Yes | ✅ Yes | ✅ Yes (via developer) | | IsSystemAccountOrDeveloper | ✅ Yes | ✅ Yes | ✅ Yes (explicit) | --- ### 1.5 Rate Limiting & Throttling **File**: `backend/igny8_core/api/throttles.py` **Current Status**: **DISABLED - All rate limiting bypassed** **Throttle Bypass Logic** (Lines 22-39): ```python def allow_request(self, request, view): """ Check if request should be throttled. DISABLED - Always allow all requests. """ return True # ALWAYS ALLOWED # OLD CODE (DISABLED): # if request.user.is_superuser: return True # if request.user.role == 'developer': return True # if request.user.is_system_account_user(): return True ``` **Security Note**: Rate limiting is currently disabled for ALL users, not just aws-admin. --- ### 1.6 AI Settings & API Keys **File**: `backend/igny8_core/ai/settings.py` **Fallback to System Account** (Lines 53-65): ```python # Fallback to system account (aws-admin, default-account, or default) if not settings_obj: from igny8_core.auth.models import Account IntegrationSettings = apps.get_model('system', 'IntegrationSettings') for slug in ['aws-admin', 'default-account', 'default']: system_account = Account.objects.filter(slug=slug).first() if system_account: settings_obj = IntegrationSettings.objects.filter(account=system_account).first() if settings_obj: break ``` **Special Behavior**: - If an account doesn't have integration settings, **aws-admin's settings are used as fallback** - This allows system-wide default API keys (OpenAI, DALL-E, etc.) --- ### 1.7 Middleware Bypass **File**: `backend/igny8_core/auth/middleware.py` **Account Injection Bypass** (Lines 146-157): ```python if getattr(user, 'is_superuser', False): # Superuser - no filtering return None # Developer or system account user - no filtering if hasattr(user, 'is_system_account_user') and user.is_system_account_user(): return None ``` **Effect**: Request-level account filtering disabled for aws-admin users. --- ### 1.8 Management Command **File**: `backend/igny8_core/auth/management/commands/create_aws_admin_tenant.py` **Purpose**: Creates or updates aws-admin account with unlimited resources **What It Does**: 1. Creates/gets Enterprise plan with unlimited limits (999999 for all resources) 2. Creates/gets `aws-admin` account linked to Enterprise plan 3. Moves all superuser and developer role users to aws-admin account 4. Sets 999999 credits for the account **Usage**: ```bash python manage.py create_aws_admin_tenant ``` **Plan Limits** (Lines 26-40): - max_users: 999,999 - max_sites: 999,999 - max_keywords: 999,999 - max_clusters: 999,999 - monthly_word_count_limit: 999,999,999 - daily_content_tasks: 999,999 - daily_ai_requests: 999,999 - monthly_ai_credit_limit: 999,999 - included_credits: 999,999 - All features enabled: `['ai_writer', 'image_gen', 'auto_publish', 'custom_prompts', 'unlimited']` --- ## 2. Frontend Configuration ### 2.1 Admin Menu Access **File**: `frontend/src/layout/AppSidebar.tsx` **Access Control** (Lines 46-52): ```tsx const isAwsAdminAccount = Boolean( user?.account?.slug === 'aws-admin' || user?.account?.slug === 'default-account' || user?.account?.slug === 'default' || user?.role === 'developer' ); ``` **Admin Section Display** (Lines 258-355): - **System Dashboard** - `/admin/dashboard` - **Account Management** - All accounts, subscriptions, limits - **Billing Administration** - Invoices, payments, credit configs - **User Administration** - All users, roles, activity logs - **System Configuration** - System settings, AI settings, module settings - **Monitoring** - System health, API monitor, debug status - **Developer Tools** - Function testing, system testing - **UI Elements** - Complete UI component library (22 pages) **Total Admin Menu Items**: 50+ pages accessible only to aws-admin users --- ### 2.2 Route Protection **File**: `frontend/src/components/auth/AdminGuard.tsx` **Guard Logic** (Lines 12-18): ```tsx export default function AdminGuard({ children }: AdminGuardProps) { const { user } = useAuthStore(); const role = user?.role; const accountSlug = user?.account?.slug; const isSystemAccount = accountSlug === 'aws-admin' || accountSlug === 'default-account' || accountSlug === 'default'; const allowed = role === 'developer' || isSystemAccount; if (!allowed) { return ; // Redirect to home } return <>{children}; } ``` **Protected Routes**: All `/admin/*` routes wrapped with AdminGuard --- ### 2.3 API Status Indicator **File**: `frontend/src/components/sidebar/ApiStatusIndicator.tsx` **Visibility Control** (Lines 130-131): ```tsx // Only show and run for aws-admin accounts const isAwsAdmin = user?.account?.slug === 'aws-admin'; ``` **Special Feature**: - Real-time API health monitoring component - Checks 100+ API endpoints across all modules - Only visible/functional for aws-admin users - Displays endpoint status (healthy/warning/error) --- ### 2.4 Debug Tools Access **File**: `frontend/src/components/debug/ResourceDebugOverlay.tsx` **Access Control** (Line 46): ```tsx const isAdminOrDeveloper = user?.role === 'admin' || user?.role === 'developer'; ``` **Debug Features Available**: - Resource debugging overlay - Network request inspection - State inspection - Performance monitoring --- ### 2.5 Protected Route Privileges **File**: `frontend/src/components/auth/ProtectedRoute.tsx` **Privileged Access** (Line 127): ```tsx const isPrivileged = user?.role === 'developer' || user?.is_superuser; ``` **Special Behaviors**: - Access to all routes regardless of module enable settings - Bypass certain validation checks - Access to system-level features --- ### 2.6 API Request Handling **File**: `frontend/src/services/api.ts` **Comment Blocks** (Lines 640-641, 788-789, 1011-1012, 1169-1170): ```typescript // Always add site_id if there's an active site (even for admin/developer) // The backend will respect it appropriately - admin/developer can still see all sites ``` **Behavior**: - Frontend still sends `site_id` parameter - Backend ignores it for aws-admin users (shows all data) - This maintains consistent API interface while allowing privileged access --- ## 3. Security Analysis ### 3.1 Current User Details **Retrieved from Database**: ``` Username: developer Email: [from database] Role: developer Superuser: True Account: AWS Admin (aws-admin) Account Status: active Account Credits: 333 ``` --- ### 3.2 Permission Matrix | Operation | Regular User | Admin Role | Developer Role | Superuser | aws-admin User | |-----------|-------------|------------|----------------|-----------|----------------| | **View own account data** | ✅ Yes | ✅ Yes | ✅ Yes | ✅ Yes | ✅ Yes | | **View other accounts** | ❌ No | ❌ No | ✅ Yes | ✅ Yes | ✅ Yes | | **Edit other accounts** | ❌ No | ❌ No | ✅ Yes | ✅ Yes | ✅ Yes | | **Delete accounts** | ❌ No | ❌ No | ⚠️ Limited | ✅ Yes | ✅ Yes (except self) | | **Access Django admin** | ❌ No | ⚠️ Limited | ✅ Full | ✅ Full | ✅ Full | | **Access admin dashboard** | ❌ No | ❌ No | ✅ Yes | ✅ Yes | ✅ Yes | | **View all users** | ❌ No | ⚠️ Own account | ✅ All | ✅ All | ✅ All | | **Manage billing (all accounts)** | ❌ No | ❌ No | ✅ Yes | ✅ Yes | ✅ Yes | | **System settings** | ❌ No | ❌ No | ✅ Yes | ✅ Yes | ✅ Yes | | **API monitoring** | ❌ No | ❌ No | ✅ Yes | ✅ Yes | ✅ Yes | | **Debug tools** | ❌ No | ⚠️ Limited | ✅ Full | ✅ Full | ✅ Full | | **Rate limiting** | ✅ Applied* | ✅ Applied* | ✅ Bypassed* | ✅ Bypassed* | ✅ Bypassed* | | **Credit deduction** | ✅ Yes | ✅ Yes | ⚠️ Check needed | ⚠️ Check needed | ⚠️ Check needed | | **AI API fallback** | ❌ No | ❌ No | ✅ Yes | ✅ Yes | ✅ Yes (system default) | *Currently all rate limiting is disabled globally --- ### 3.3 Security Strengths #### ✅ Good Practices 1. **Multiple authentication layers** - Role, superuser, and account slug checks 2. **Explicit permission classes** - `IsSystemAccountOrDeveloper` for sensitive endpoints 3. **Frontend route guards** - AdminGuard prevents unauthorized access 4. **Account isolation** - Regular users strictly isolated to their account 5. **Cannot delete system account** - Protected from accidental deletion 6. **Audit trail** - Django admin logs all actions 7. **Middleware protection** - Request-level filtering for non-privileged users --- ### 3.4 Security Concerns & Recommendations #### ⚠️ Areas for Improvement **1. Rate Limiting Disabled** (HIGH PRIORITY) - **Issue**: All rate limiting bypassed globally, not just for aws-admin - **Risk**: API abuse, DoS attacks, resource exhaustion - **Recommendation**: Re-enable rate limiting with proper exemptions for aws-admin ```python # Recommended fix in throttles.py def allow_request(self, request, view): # Bypass for system accounts only if request.user and request.user.is_authenticated: if getattr(request.user, 'is_superuser', False): return True if hasattr(request.user, 'role') and request.user.role == 'developer': return True if hasattr(request.user, 'is_system_account_user') and request.user.is_system_account_user(): return True # Apply normal throttling for all other users return super().allow_request(request, view) ``` **2. AI API Key Fallback** (MEDIUM PRIORITY) - **Issue**: All accounts fall back to aws-admin's API keys if not configured - **Risk**: Unexpected costs, quota exhaustion, key exposure - **Recommendation**: - Add explicit opt-in for fallback behavior - Alert when fallback keys are used - Track usage per account even with fallback keys **3. Credit Deduction Unclear** (MEDIUM PRIORITY) - **Issue**: Not clear if aws-admin users are charged credits for operations - **Risk**: Potential cost tracking issues - **Recommendation**: - Audit credit deduction logic for system accounts - Document whether aws-admin is exempt from credit charges - If exempt, ensure credit balance never depletes **4. Multiple System Account Slugs** (LOW PRIORITY) - **Issue**: Three different slugs recognized (`aws-admin`, `default-account`, `default`) - **Risk**: Confusion, inconsistent behavior - **Recommendation**: Standardize on `aws-admin` only, deprecate others **5. is_superuser Flag** (LOW PRIORITY) - **Issue**: Both `is_superuser` flag and `developer` role grant same privileges - **Risk**: Redundant permission checks, potential bypass - **Recommendation**: Use one permission model (recommend role-based) **6. UI Elements in Production** (INFORMATIONAL) - **Issue**: 22 UI element demo pages accessible in admin menu - **Risk**: Potential information disclosure - **Recommendation**: Move to separate route or remove from production --- ### 3.5 Access Log Review Recommendations **Recommended Monitoring**: 1. **Admin Actions** - Review `django_admin_log` table regularly 2. **API Access** - Log all requests from aws-admin users 3. **Failed Permissions** - Alert on permission denied for system account 4. **Multi-Account Data Access** - Log when aws-admin views other accounts' data 5. **System Settings Changes** - Require approval/notification for critical changes **Suggested Audit Queries**: ```sql -- All actions by aws-admin users (last 30 days) SELECT * FROM django_admin_log WHERE user_id IN (SELECT id FROM igny8_core_auth_user WHERE account_id = (SELECT id FROM igny8_core_auth_account WHERE slug='aws-admin')) AND action_time > NOW() - INTERVAL '30 days' ORDER BY action_time DESC; -- All accounts accessed by developers SELECT DISTINCT object_repr, content_type_id, action_flag FROM django_admin_log WHERE user_id IN (SELECT id FROM igny8_core_auth_user WHERE role='developer' OR is_superuser=true) AND content_type_id = (SELECT id FROM django_content_type WHERE app_label='igny8_core_auth' AND model='account'); ``` --- ## 4. Compliance & Best Practices ### 4.1 Principle of Least Privilege - ⚠️ **Current**: aws-admin has unlimited access to everything - ✅ **Recommendation**: Consider creating sub-roles: - **system-admin**: Account/user management only - **billing-admin**: Billing and payments only - **platform-admin**: System settings only - **developer**: Full access (current state) ### 4.2 Separation of Duties - ⚠️ **Current**: Single developer user has all permissions - ✅ **Recommendation**: - Create separate accounts for different admin tasks - Require MFA for aws-admin users - Log all sensitive operations with approval workflow ### 4.3 Data Protection - ✅ **Good**: Account deletion protection for system account - ✅ **Good**: Soft delete implementation preserves audit trail - ⚠️ **Improvement**: Add data export restrictions for sensitive PII --- ## 5. Recommendations Summary ### Immediate Actions (Within 1 Week) 1. ✅ **Re-enable rate limiting** with proper system account exemptions 2. ✅ **Audit credit deduction** logic for aws-admin account 3. ✅ **Document** which operations are logged and where ### Short-term Actions (Within 1 Month) 1. ⚠️ **Review AI API key fallback** behavior and add tracking 2. ⚠️ **Standardize** system account slug to aws-admin only 3. ⚠️ **Implement** MFA requirement for aws-admin users 4. ⚠️ **Add alerts** for sensitive operations (account deletion, plan changes, etc.) ### Long-term Actions (Within 3 Months) 1. 📋 **Create sub-admin roles** with limited scope 2. 📋 **Implement approval workflow** for critical system changes 3. 📋 **Add audit dashboard** showing aws-admin activity 4. 📋 **Security review** of all permission bypass points 5. 📋 **Penetration testing** focused on privilege escalation --- ## 6. Conclusion The **aws-admin** account is properly configured with extensive privileges necessary for platform administration. The implementation follows a clear pattern of permission checks across backend and frontend. **Key Strengths**: - Multi-layered permission checks - System account protection from deletion - Clear separation between system and tenant data - Comprehensive admin interface **Key Risks**: - Global rate limiting disabled - AI API key fallback may cause unexpected costs - Multiple system account slugs create confusion - No sub-admin roles for separation of duties **Overall Security Posture**: **MODERATE** - System account is properly protected and identified - Permissions are consistently enforced - Some security controls (rate limiting) need re-enabling - Monitoring and audit trails need enhancement --- ## Appendix A: Code Locations Reference ### Backend Permission Checks - `auth/models.py` - Lines 155-158, 738-743, 730-732, 747-755 - `admin/base.py` - Lines 18, 31, 43, 55, 72, 83, 93, 103 - `api/permissions.py` - Lines 54-68, 190-208 - `api/throttles.py` - Lines 22-39 - `api/base.py` - Lines 25, 34, 259 - `auth/middleware.py` - Lines 146, 155 - `ai/settings.py` - Lines 53-65 ### Frontend Access Controls - `layout/AppSidebar.tsx` - Lines 46-52, 258-355 - `components/auth/AdminGuard.tsx` - Lines 12-18 - `components/auth/ProtectedRoute.tsx` - Line 127 - `components/sidebar/ApiStatusIndicator.tsx` - Lines 130-131 - `components/debug/*` - Line 46 - `services/api.ts` - Multiple locations (640, 788, 1011, 1169) ### Management Commands - `auth/management/commands/create_aws_admin_tenant.py` - Full file --- **Report Generated**: December 20, 2025 **Generated By**: Security Audit Process **Classification**: Internal Use Only **Next Review Date**: March 20, 2026 --- *End of Audit Report*