1 Answer
- Newest
- Most votes
- Most comments
2
You are absolutely right that this is an antipattern for Cloud and something that should be addressed. It is also not an easy task. A few various path that could be adopted:
- prevent use of unused services via SCP (any policies allowing those services will have no effect)
- use IAM boundaries to restrict what roles developers can create and assign
- use IaC to create roles
- define strict governance rules around IAM roles including naming conventions
- use compliance to detect non-compliant roles and remove them
- monitor creation of IAM roles via CloudTrail and alert on usage
Other ways I have seen but wouldn't recommend is to have a custom API available to developers to allow them to request a role. I personally prefer the compliance route with detective controls in place to identify undesired roles.
answered a year ago
Relevant content
- asked 7 months ago
- Accepted Answerasked 2 years ago
- asked 9 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 9 months ago
- AWS OFFICIALUpdated 2 years ago
I'd add here that your company should engage with your local AWS account team as they can provide guidance.