1回答
- 新しい順
- 投票が多い順
- コメントが多い順
2
You are absolutely right that this is an antipattern for Cloud and something that should be addressed. It is also not an easy task. A few various path that could be adopted:
- prevent use of unused services via SCP (any policies allowing those services will have no effect)
- use IAM boundaries to restrict what roles developers can create and assign
- use IaC to create roles
- define strict governance rules around IAM roles including naming conventions
- use compliance to detect non-compliant roles and remove them
- monitor creation of IAM roles via CloudTrail and alert on usage
Other ways I have seen but wouldn't recommend is to have a custom API available to developers to allow them to request a role. I personally prefer the compliance route with detective controls in place to identify undesired roles.
回答済み 1年前
I'd add here that your company should engage with your local AWS account team as they can provide guidance.