- Newest
- Most votes
- Most comments
I suppose attribute based access control (ABAC) could work if only ALL your resources are tagged accordingly. https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction_attribute-based-access-control.html
Otherwise I don't think there is any easy way to solve the problem since with role based access control (RBAC) there isn't a way to dynamically deduce Role's access policy from multiple AD groups. You would probably need a 3rd party IAM solution in between AD and AWS to do the mapping and they're typically not cheap. Maybe new AD group "developer+ECR-admin" and an IAM Role for it is satisfying solution?
Personally I think changing role is pretty agile with AWS SSO/Identity Center. In general I prefer more permissive than restrictive roles to minimize role changes in the first place but of course cloud access policy heavily depends on individual company's requirements and possible industry regulation too.
Changing the Role/Permission Set in this case is the best way and is very agile. You want to make sure your permissions are least-priv. SSO/IC is specifically designed to allow this rapid switching of contexts if needed. You either give a role permission to switch to a different role, or you provide that as an option right away.
I suggest using tools to get around this. I use the free version of Ghost Brower to manage multiple sessions to the same AWS SSO/IC and be in different accounts with a different role at the same time. I also recommend https://Leapp.Cloud Alternatively if additional tools are not an option for downloading and approved software lists, then I would use Incognito or other profiles in existing browsers such as Chrome.
Relevant content
- Accepted Answerasked 2 years ago
- Accepted Answerasked 9 months ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated 4 months ago