By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How to separate organisation users permissions by the access level and environments?

0

Hello

We have such situation:

  • we have several groups (dev, qa, admins, and so on)
  • we have several environments (dev, stgae, prod)
  • we have only one aws organization account

the questuin is: how to separate all the users by the env and permissions?

What i mean is, for example, developers should have all the access on dev and stage but to not have any permissions on prod. same situation with qa. but admins should have the access everywhere.

We were going to use the switch role, but all our resources are mixed and if i am not mistaken developers still will have access to the prod resources even if we are going to map this role with read only permissions, so as we have not any tags which could separate dev stage and prod. i am wondering what is the best practice how to do it. i saw some articles that to separate environments we need to have different AWS accounts but it is not possible in our case cause we need to do migrations for this on prod which is not good variant. Are there any other variants?

So, please advise how to separate those environmetns in one single organisations and grant different permissions for those environments for the different groups?

Thanks.

Topics
Security, Identity, & ComplianceDevOpsManagement & Governance
Tags
Security, Identity, & ComplianceAWS Identity and Access ManagementDevOpsAWS Account ManagementIAM Policies
Language
English
kostyanius
asked a year ago312 views
1 Answer
0
Accepted Answer

Hi There

If you are not using tags, how are you differentiation between dev, stage, and prod resources if everything is in one account? Example, how do you know which is a dev EC2 instance vs a Prod ec2 instance? You need to use some form of tagging, and then create permissions policies and roles based on those tags. See https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags.html

We also recommend adopt a multi-account strategy, and separate workloads into different AWS accounts. This way, you use the AWS Account as the security boundary. Example, all Dev resources go into the Dev account, and you grant permissions to the account to your dev users, rather than individual resources. You can use tag based policies above to further reduce the permissions to adhere to the principle of least-privilege. See https://docs.aws.amazon.com/whitepapers/latest/organizing-your-aws-environment/organizing-your-aws-environment.html

profile pictureAWS
EXPERT
Matt-B
answered a year ago
profile pictureAWS
EXPERT
Tushar_J
reviewed a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content