SEC 3: How do you manage permissions for people and machines?

Manage permissions to control access to people and machine identities that require access to AWS and your workload. Permissions control who can access what, and under what conditions.

Resources

Become an IAM Policy Master in 60 Minutes or Less
Separation of Duties, Least Privilege, Delegation, and CI/CD
Grant least privilege
Working with Policies
IAM Access Analyzer
Remove unnecessary credentials
Attribute-based access control (ABAC)

Best Practices:

• Define access requirements: Each component or resource of your workload needs to be accessed by administrators, end users, or other components. Have a clear definition of who or what should have access to each component, choose the appropriate identity type and method of authentication and authorization.

• Grant least privilege access: Grant only the access that identities require by allowing access to specific actions on specific AWS resources under specific conditions. Rely on groups and identity attributes to dynamically set permissions at scale, rather than defining permissions for individual users. For example, you can allow a group of developers access to manage only resources for their project. This way, when a developer is removed from the group, access for the developer is revoked everywhere that group was used for access control, without requiring any changes to the access policies.

• Establish emergency access process: A process that allows emergency access to your workload in the unlikely event of an automated process or pipeline issue. This will help you rely on least privilege access, but ensure users can obtain the right level of access when they require it. For example, establish a process for administrators to verify and approve their request.

• Reduce permissions continuously: As teams and workloads determine what access they need, remove permissions they no longer use and establish review processes to achieve least privilege permissions. Continuously monitor and reduce unused identities and permissions.

• Define permission guardrails for your organization: Establish common controls that restrict access to all identities in your organization. For example, you can restrict access to specific AWS Regions, or prevent your operators from deleting common resources, such as an IAM role used for your central security team.

• Manage access based on life cycle: Integrate access controls with operator and application life cycle and your centralized federation provider. For example, remove a user’s access when they leave the organization or change roles.

• Analyze public and cross account access: Continuously monitor findings that highlight public and cross account access. Reduce public access and cross account access to only resources that require this type of access.

• Share resources securely: Govern the consumption of shared resources across accounts or within your AWS Organization. Monitor shared resources and review shared resource access.

Improvement Plan

Define access requirements

Define required privileges for job function and responsibilities: Based on the user's job function, role, or responsibilities, define what resources that they need access to and the conditions that may apply. Group the users with common requirements together to make delegation of policies easier.
IAM use cases

Grant least privilege access

Implement least privilege policies: Assign access policies with least privilege to IAM groups and roles to reflect the user's role or function that you have defined.
Grant least privilege

Remove unnecessary permissions: Implement least privilege by removing permissions that are unnecessary.
Reducing policy scope by viewing user activity
View role access

Consider permissions boundaries: A permissions boundary is an advanced feature for using a managed policy that sets the maximum permissions that an identity-based policy can grant to an IAM entity. An entity's permissions boundary allows it to perform only the actions that are allowed by both its identity-based policies and its permissions boundaries.
Lab: IAM permissions boundaries delegating role creation

Consider resource tags for permissions: You can use tags to control access to your AWS resources that support tagging. You can also tag IAM users and roles to control what they can access.
Lab: IAM tag based access control for EC2
Attribute-based access control (ABAC)

Establish emergency access process

Pre-provision emergency access: Pre-provisioning a role for emergency access from a trusted account, for example one that is used for security team, can help you gain access quickly.
Tutorial: Delegate Access Across AWS Accounts Using IAM Roles

Reduce permissions continuously

Configure IAM Access Analyzer: AWS IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity.
AWS IAM Access Analyzer

Define permission guardrails for your organization

Define common restrictions that apply to all identities: Based on your organizations's unique requirements, for example access only to a specific AWS Region, create a number of restrictions that you can apply using AWS Organizations.
AWS Organizations Service Control Policies

Use AWS Control Tower to manage guardrails: Based on your organizations's unique requirements, for example access only to a specific AWS Region, create a number of restrictions that you can apply using AWS Organizations.
AWS Control Tower Guardrails

Manage access based on life cycle

User access life cycle: Implement a user access life cycle policy for new users joining, job function changes, and users leaving to facilitate that only current users have access.

Analyze public and cross account access

Configure IAM Access Analyzer: AWS IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity.
AWS IAM Access Analyzer

Share resources securely

Use AWS Resource Access Manager: AWS Resource Access Manager (RAM) is a service that enables you to easily and securely share AWS resources with any AWS account or within your AWS Organization.
AWS Resource Access Manager