1 Respuesta
- Más nuevo
- Más votos
- Más comentarios
2
You are absolutely right that this is an antipattern for Cloud and something that should be addressed. It is also not an easy task. A few various path that could be adopted:
- prevent use of unused services via SCP (any policies allowing those services will have no effect)
- use IAM boundaries to restrict what roles developers can create and assign
- use IaC to create roles
- define strict governance rules around IAM roles including naming conventions
- use compliance to detect non-compliant roles and remove them
- monitor creation of IAM roles via CloudTrail and alert on usage
Other ways I have seen but wouldn't recommend is to have a custom API available to developers to allow them to request a role. I personally prefer the compliance route with detective controls in place to identify undesired roles.
respondido hace un año
Contenido relevante
- OFICIAL DE AWSActualizada hace un año
- OFICIAL DE AWSActualizada hace 3 meses
- OFICIAL DE AWSActualizada hace 2 años
I'd add here that your company should engage with your local AWS account team as they can provide guidance.