IAM policy for System, Network, and Database Administrator

0

I have the Organization Root account and privileges. I have two or three admins on my team that need the ability to create virtual machines, databases, and networking type services. I, nievely, thought that by using the built-in AWS Managed polices for Job Functions would provide those policies and permissions, and then I could dial back from there. But, what I'm running into is that my team can't do much of anything at all without adding custom permissions. For instance, they can't; turn on cloud watch, Amazon SSM, implement a load balancer, implement a Web Application Firewall, Import a TLS certificate. Obviously I can't dedicate a full time person to managing permission, but I also can't have my team hobbled by missing permissions, and I also can't give root level permissions to all resources on all services to all users. So, what is a workable solution? What policy do I craft that would allow my team to do their job without coming back to the Root Admin to play mother-may-I every other day?

1 Answer
-1

Hello Bobby,

Managing IAM policies and roles effectively requires careful planning, as there’s no magic solution. Fortunately, AWS offers a variety of tools to help streamline this process. Using the IAM Policy creation console, you can select services, define actions, and build custom IAM policies tailored to the specific permissions your team members need. Additionally, you can leverage the IAM Policy Generator to create policies. Visit: IAM Policy Generator for more details.

If you want to go in an advanced mode in the permissions management:

How to Empower Your Team While Maintaining Control

  1. Start with Managed Policies, Add What’s Missing AWS Managed Policies for job functions are too restrictive. Use them as a base and add custom permissions for:

    • EC2, RDS, VPC
    • Load Balancers, WAF, Certificate Manager
    • CloudWatch, SSM, Autoscaling
  2. Create Custom Roles for Your Team Instead of giving permissions to users directly:

    • Create a team-specific IAM role.
    • Attach a policy that grants needed permissions without being overly broad.

    Example Policy:

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "ec2:*",
            "rds:*",
            "elasticloadbalancing:*",
            "vpc:*",
            "ssm:*",
            "cloudwatch:*",
            "acm:*",
            "waf:*"
          ],
          "Resource": "*"
        }
      ]
    }
  3. Set Guardrails with Service Control Policies (SCPs)

    • Use SCPs in AWS Organizations to block risky actions (e.g., root account access, unapproved regions/services).
  4. Enable Self-Service with Boundaries

    • Use Permission Boundaries to limit maximum permissions.
    • Use Service Catalog to provide pre-approved templates for common resources like VMs and databases.
  5. Iterate Based on Needs

    • Monitor CloudTrail for blocked actions and adjust permissions.
    • Regularly review with the team to refine policies.
  6. Automate and Simplify

    • Use tools like AWS Identity Center (SSO) for streamlined role assignment.
    • Leverage IAM Access Analyzer to catch overly broad permissions.

This gives your team the freedom to work while you retain control over critical aspects. It’s scalable and reduces your involvement in daily permission issues.

Other than that, look at AWS's latest announcement Simplify governance with declarative policies - https://aws.amazon.com/blogs/aws/simplify-governance-with-declarative-policies/

profile picture
answered a month ago
  • Praveen, thanks for asking the AWS helpful AI assistant and providing it's answers.

    That, however, is not even close to a workable solution. Every new task is met with delay upon delay upon delay as they all require some interaction with a service that is obscure and not included in the Admin roles. The only acceptable solution is for Amazon to do their job and provide an actual admin policy for Network, Database, and Systems.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions