1 Resposta
- Mais recentes
- Mais votos
- Mais comentários
2
You are absolutely right that this is an antipattern for Cloud and something that should be addressed. It is also not an easy task. A few various path that could be adopted:
- prevent use of unused services via SCP (any policies allowing those services will have no effect)
- use IAM boundaries to restrict what roles developers can create and assign
- use IaC to create roles
- define strict governance rules around IAM roles including naming conventions
- use compliance to detect non-compliant roles and remove them
- monitor creation of IAM roles via CloudTrail and alert on usage
Other ways I have seen but wouldn't recommend is to have a custom API available to developers to allow them to request a role. I personally prefer the compliance route with detective controls in place to identify undesired roles.
respondido há um ano
Conteúdo relevante
- AWS OFICIALAtualizada há 3 meses
- AWS OFICIALAtualizada há 2 anos
I'd add here that your company should engage with your local AWS account team as they can provide guidance.