By using AWS re:Post, you agree to the Terms of Use

Restricting user access to AWS resources within an account

0

We have 2 AWS accounts prod and non-prod. Currently there are 2 teams using the non-prod accounts. Team A owns Workload A and Team B owns workload B. What options do we have to restrict Team B from accessing/updating resources provisioned /owned by Team A and vice versa. We know we can isolate by creating separate non-prod accounts for team A and B but what other options are available to restrict access. A good example if Team A owns an S3 bucket then it is fine for Team B to be able to view the S3 bucket but not have privileges to read/update contents.

2 Answers
0

There are multiple ways to define access to resources within AWS. For instance, permissions for Amazon S3 objects can be configured using a combination of S3 bucket policies, user policies and object ACLs to achieve a complex mix of different access permissions in the same bucket. Please review 'Policies and Permissions within IAM' - https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html & 'Identity and access management in Amazon S3' - https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-access-control.html for more details.

answered 4 months ago
0

ABAC - Attribute Based Access Control may also be used here. In ABAC, you tag the resources and allow only IAM users with specific tag to access that resource. For example, you can map Workload A with a tag called "CreatedBy: Team A" and then have the same tag mapped to IAM users of Team A; then only Team A can access Workload A.

Please refer the following documentation for further details https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction_attribute-based-access-control.html

answered 4 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions