How are you automating AWS IAM roles and policies?

github logo ・1 min read

Hi all,

I wanted some help in understanding techniques and best practices around managing AWS IAM at scale.

We get requests everyday for new roles, policies, permissions, for servers as well as people, and managing them at scale is a PITB. What kind of automation and checks do you use for automating IAM?


twitter logo DISCUSS (1)
markdown guide

For servers - the team thats deploying that particular server needs to define the IAM policy for that service, and that policy is then reviewed by our DevOps team to make sure its not overly permissive. But each service gets its own application-specific policy.

Some IAM policies are shared across all hosts (like access to read some shared/central S3 buckets or parameters from Parameter Store) and those are managed by a central DevOps team.

For people - our IT department uses Okta (an SSO solution like auth0) for employees. Okta has integration with AWS so you can login to Okta, and then choose which role + which account you want to access. After like 30-40 people, managing IAM users is too annoying and so using an Identity Provider (with AD/SAML provider) drastically helps with that (although it does cost a pretty penny).

For all the above - manage all your IAM resources in an infrastructure-as-code tool like terraform or cloudformation, store it in a version-control system, and make changes to it that way. One small tip - IAM has the concept of variables so you can make generic-ish policies that are fine-grained for each user docs here

Classic DEV Post from May 11

Getting Trapped as an Expert Beginner

Ayush Sharma profile image
In a love-hate relationship with technology. Haven't figured out life yet. Thoughts are my own.