Implementation Strategy
In the context of your overall organization strategy for AWS IAM, we recommend using a few measures for locking down your AWS environments with IAM:
- Use Policy Sentry to create Identity-based policies
- Use Service Control Policies (SCPs) to lock down available API calls
per account.
- A great collection of SCPs can be found on asecure.cloud.
- Control Tower has some excellent guidance on strategy for SCPs in their documentation. Note that they call it "Guardrails" but they are mostly SCPs. See the docs here
- Use Repokid to revoke out of date policies as your application/roles mature.
- Use Resource-based
policies
for all services that support them.
- A list of which services support resource-based policies can be found in the AWS documentation here.
- Never provision infrastructure manually; use Infrastructure as Code
- I highly suggest Terraform for IAC over other alternatives such as CloudFormation, Chef, or Puppet. Yevgeniy Brikman explains the reasons very well in this Gruntwork.io blog post.
- I also suggest reading HashiCorp's Unlocking the Cloud Operating Model Whitepaper.