Allowing Role and Policies creation for Development team


I'm sensing an anti-pattern in my company when it comes to creating roles and policies for a given workflow.

I'm sitting on a development team, we are far from experts in AWS but we are learning fast. We are building an application and trying to follow as much as possible all AWS's security standards. As we develop we need to create specific roles bearing proper policies.

There is security team in my company who owns the IAM side when it comes to creating policies therefore the development team doesn't have permissions to create/edit/delete policies to assign to the roles. Development team is only allowed to create/edit/delete/read roles and read policies.

Development team faces a lot of frustration with this situation as it cannot proceed with our developments independently. After questioning the security team about the reasons it was stated that:

  • In the past people would go wild in creating policies, so we had to cut them short as it was easily becoming a total mess
  • We needed to protect the AWS account from its users.
  • We needed to protect the team from himself.

I would really appreciate the community input on this to understand what/how other companies are organizing themselves when it comes to "allowing" creation of policies.

1 Answer
Accepted Answer

You are absolutely right that this is an antipattern for Cloud and something that should be addressed. It is also not an easy task. A few various path that could be adopted:

  • prevent use of unused services via SCP (any policies allowing those services will have no effect)
  • use IAM boundaries to restrict what roles developers can create and assign
  • use IaC to create roles
  • define strict governance rules around IAM roles including naming conventions
  • use compliance to detect non-compliant roles and remove them
  • monitor creation of IAM roles via CloudTrail and alert on usage

Other ways I have seen but wouldn't recommend is to have a custom API available to developers to allow them to request a role. I personally prefer the compliance route with detective controls in place to identify undesired roles.

answered 2 years ago
profile picture
reviewed 2 months ago
  • I'd add here that your company should engage with your local AWS account team as they can provide guidance.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions