1 réponse
- Le plus récent
- Le plus de votes
- La plupart des commentaires
2
You are absolutely right that this is an antipattern for Cloud and something that should be addressed. It is also not an easy task. A few various path that could be adopted:
- prevent use of unused services via SCP (any policies allowing those services will have no effect)
- use IAM boundaries to restrict what roles developers can create and assign
- use IaC to create roles
- define strict governance rules around IAM roles including naming conventions
- use compliance to detect non-compliant roles and remove them
- monitor creation of IAM roles via CloudTrail and alert on usage
Other ways I have seen but wouldn't recommend is to have a custom API available to developers to allow them to request a role. I personally prefer the compliance route with detective controls in place to identify undesired roles.
répondu il y a un an
Contenus pertinents
- demandé il y a un an
- demandé il y a 2 mois
- demandé il y a 6 mois
- demandé il y a un an
- AWS OFFICIELA mis à jour il y a 3 mois
- AWS OFFICIELA mis à jour il y a un an
- AWS OFFICIELA mis à jour il y a 2 ans
I'd add here that your company should engage with your local AWS account team as they can provide guidance.