Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

IAM as code - centralize the management of IAM roles and policies in a multi-account organization

0

A customer is trying to centralize the management of IAM roles and policies in a multi-account organization. They would like to achieve the following:

  • keep log of all changes for compliance reasons
  • facilitate periodical audits process
  • test policies in sandbox environment before deploying in production

They are using Terraform and would like to use CodeCommit as repository. Do we have examples of customers who have achieved such a process, and/or best practices?

Thanks

Themen
Entwicklertools
Tags
AWS CodeCommit
Sprache
English
AWS
AWS-User-3594908
gefragt vor 4 Jahren455 Aufrufe
1 Antwort
0
Akzeptierte Antwort

You should check out the blog post on best practices with OU management. There are suggestions for both sandbox environments and logging: https://aws.amazon.com/blogs/mt/best-practices-for-organizational-units-with-aws-organizations/

Check out centralized CloudTrail for logging and auditing. It's a widely adopted best practice. It helps the management account make sure everything is logged (and doesn't let member accounts turn it off).

For IAM role usage. There are many approaches customers can take. I don't have Terraform examples. Stacksets provides easy integration for rollout of IAM roles.

AWS
AWS-User-4197455
beantwortet vor 4 Jahren

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt