1 Answer
- Newest
- Most votes
- Most comments
1
You can consider many extra access control layers. But, as you know, each access control layer requires a corresponding trade-off (Human resources, extra system, management cost).
- Fine-grained IAM Policy Conditions
- Limit source IP, source VPC, source Account, or something else.
- Strengthen security for Assume Role(Trusted Identity) Policy for IAM Role.
- Limit source IP, source VPC, source Account, or something else.
- Use application-level AWS STS Tokens instead of EC2 Instance Profile
- With a solution for dynamic secret(short-live token) like HashiCorp Vault, you can use several small-scoped STS tokens. And just delete your EC2 Instance Profile.
- Limit access to the EC2 instance with Security Groups and NACLs.
Relevant content
- asked 2 years ago
- asked 8 months ago
- asked 9 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
Hello,
What are the different data sources in other AWS accounts?
for eg. Redshift, Athena, RDS, Aurora flavors etc