- Newest
- Most votes
- Most comments
Hello.
AWS's managed IAM policy provides job-specific IAM policies.
While using these IAM policies, you may also create custom policies to further narrow down the policies.
https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html
I think it is useful to use IAM policy simulator etc. to examine the policies required for custom policies.
https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_testing-policies.html
In addition, by using IAM Access Analyzer, it is also possible to generate IAM policies from the operation history of IAM users.
https://aws.amazon.com/jp/blogs/security/iam-access-analyzer-makes-it-easier-to-implement-least-privilege-permissions-by-generating-iam-policies-based-on-access-activity/
Hello.
AWS IAM resource provides you with the opportunity to create groups. You find this by visiting IAM
> Access management
> User groups
. Click on User groups
and then Create group
. A group is like a container that holds all users with similar permissions or access, just as in your own case. You can create a group with the name Developers
for instance. Now you add the permission you want to give to this set of users to the group you've created.
These permissions come as policies. Some policies are managed by AWS. You can also create your own policy if you want.
In your case, the policy you'll choose depends on what platform on AWS your applications or other services will be running. Is it EC2 instance, ECS, EKS, Lambda, EBS, Amplify e.t.c.
There're policies you can use to give permissions to your developers on any of these platforms. E.g if EC2 instance, there's an AWS defined policy named AmazonEC2FullAccess
or AmazonEC2ReadOnlyAccess
e.t.c. You just explore the policy section of IAM to find the one that gives the developers the access they require, then attach this policy to the group you created. Then create the users and add them to that group.
Note that you can add as many policies/ permissions as you need to a group.
Thank you all for your replies. I will do what I can to improve how this works on my end. If any of you have the ear of the AWS UX/UI team, please let them know that this strikes me as convoluted and overly complex. One user management tool, hierarchical and clear relationships/features would really improve this and remove barriers for small business and novice users.
Cheers!
-Barn.
Relevant content
- asked 7 months ago
- Accepted Answerasked a year ago
- AWS OFFICIALUpdated a month ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 9 months ago