SEC 3: How do you manage permissions for people and machines?

Manage permissions to control access to people and machine identities that require access to AWS and your workload. Permissions control who can access what, and under what conditions.

Resources

Become an IAM Policy Master in 60 Minutes or Less
Separation of Duties, Least Privilege, Delegation, and CI/CD
Grant least privilege
Working with Policies
IAM Access Analyzer
Remove unnecessary credentials
Attribute-based access control (ABAC)

Best Practices:

Improvement Plan

Define access requirements

  • Define required privileges for job function and responsibilities: Based on the user's job function, role, or responsibilities, define what resources that they need access to and the conditions that may apply. Group the users with common requirements together to make delegation of policies easier.
    IAM use cases
  • Grant least privilege access

  • Implement least privilege policies: Assign access policies with least privilege to IAM groups and roles to reflect the user's role or function that you have defined.
    Grant least privilege
  • Remove unnecessary permissions: Implement least privilege by removing permissions that are unnecessary.
    Reducing policy scope by viewing user activity
    View role access
  • Consider permissions boundaries: A permissions boundary is an advanced feature for using a managed policy that sets the maximum permissions that an identity-based policy can grant to an IAM entity. An entity's permissions boundary allows it to perform only the actions that are allowed by both its identity-based policies and its permissions boundaries.
    Lab: IAM permissions boundaries delegating role creation
  • Consider resource tags for permissions: You can use tags to control access to your AWS resources that support tagging. You can also tag IAM users and roles to control what they can access.
    Lab: IAM tag based access control for EC2
    Attribute-based access control (ABAC)
  • Establish emergency access process

  • Pre-provision emergency access: Pre-provisioning a role for emergency access from a trusted account, for example one that is used for security team, can help you gain access quickly.
    Tutorial: Delegate Access Across AWS Accounts Using IAM Roles
  • Reduce permissions continuously

  • Configure IAM Access Analyzer: AWS IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity.
    AWS IAM Access Analyzer
  • Define permission guardrails for your organization

  • Define common restrictions that apply to all identities: Based on your organizations's unique requirements, for example access only to a specific AWS Region, create a number of restrictions that you can apply using AWS Organizations.
    AWS Organizations Service Control Policies
  • Use AWS Control Tower to manage guardrails: Based on your organizations's unique requirements, for example access only to a specific AWS Region, create a number of restrictions that you can apply using AWS Organizations.
    AWS Control Tower Guardrails
  • Manage access based on life cycle

  • User access life cycle: Implement a user access life cycle policy for new users joining, job function changes, and users leaving to facilitate that only current users have access.
  • Analyze public and cross account access

  • Configure IAM Access Analyzer: AWS IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity.
    AWS IAM Access Analyzer
  • Share resources securely

  • Use AWS Resource Access Manager: AWS Resource Access Manager (RAM) is a service that enables you to easily and securely share AWS resources with any AWS account or within your AWS Organization.
    AWS Resource Access Manager