Share resources securely within your organization

PostedNovember 27, 2024

UpdatedMarch 21, 2025

ByKevin McCaffrey

Managing permissions is critical to securing access to AWS resources. Sharing resources securely helps reduce operational overhead, fosters consistency across teams, and minimizes configuration errors, allowing organizations to scale without sacrificing security.

Best Practices

Implement Fine-Grained Access Control

Define roles and responsibilities clearly within your organization to ensure that only authorized individuals and services have access to specific resources.
Utilize AWS Identity and Access Management (IAM) policies to create fine-grained permissions that are tailored to the specific actions users and machines can perform.
Regularly review and update these policies to adapt to changing organizational needs and to ensure that permissions are not overly permissive.

Utilize Resource Sharing Features

Leverage AWS Resource Access Manager (RAM) to share resources across different AWS accounts securely.
Create resource shares for specific teams or projects, which helps manage who has access to what while minimizing duplication of resources.
Regularly audit resource sharing configurations to ensure they still meet the security and operational needs of your organization.

Establish Best Practices for Multi-Account Environments

Adopt a multi-account strategy to isolate workloads and environments, which can help limit the blast radius in case of a security issue.
Implement AWS Organizations to manage and govern your accounts centrally, leveraging service control policies (SCPs) to enforce permission boundaries.
Encourage consistent tagging of resources to better manage access and identify where access needs to be shared or restricted across accounts.

Implement Monitoring and Logging for Access Events

Enable AWS CloudTrail to log all API calls across your AWS infrastructure, allowing you to monitor who accessed what resources and when.
Set up Amazon CloudWatch Alarms based on CloudTrail events to alert your security team of any unauthorized access attempts or suspicious activity.
Regularly review logs and alarms to ensure compliance with access control policies and to identify any anomalies.

Educate and Train Your Teams

Provide ongoing training to your teams about best practices for managing permissions and securing AWS resources.
Conduct regular workshops on IAM and resource sharing features to ensure all team members understand how to effectively manage access.
Foster a security-conscious culture by regularly sharing security updates and lessons learned from any incidents that may have occurred.

Questions to ask your team

How do you determine which resources need to be shared within your organization?
What processes do you have in place to review and audit shared permissions regularly?
How do you ensure that access is only granted to those who truly need it?
What mechanisms do you use to manage cross-account access to shared resources?
How do you handle permission changes when a user’s role or responsibility changes?
What tools or services do you utilize to automate the management of permissions?
How do you verify that shared resources are being accessed according to your security policies?
What training or guidelines do you provide to teams regarding resource sharing and permission management?

Who should be doing this?

Cloud Security Architect

Design and implement security architectures to manage permissions effectively.
Establish guidelines for identity and access management (IAM) policies.
Ensure compliance with organizational security standards and best practices.
Conduct regular security audits and access reviews.

IAM Administrator

Create and manage IAM roles, groups, and policies for users and machines.
Configure secure access to resources and monitor permissions usage.
Respond to requests for access and ensure proper documentation.
Educate team members on IAM best practices and security protocols.

DevOps Engineer

Implement secure practices while deploying workloads across multiple accounts.
Collaborate with the IAM Administrator to ensure proper access controls are in place.
Automate resource provisioning while maintaining compliance and security.
Monitor any changes to permissions and report potential security risks.

Compliance Officer

Review IAM policies for compliance with regulatory requirements.
Coordinate with the Cloud Security Architect to assess risks associated with permissions.
Oversee audits and prepare reports for management regarding access control measures.
Stay up-to-date on security compliance standards and best practices.

Training Coordinator

Develop and deliver training programs related to security and IAM best practices.
Ensure all employees understand their roles in managing permissions.
Create documentation and resources for ongoing reference on security and permissions.
Evaluate training effectiveness and make improvements as necessary.

What evidence shows this is happening in your organization?

Access Control Policy Template: A structured template for defining access control policies that govern how permissions are assigned to individuals and machines within the organization, ensuring secure access to shared resources.
Resource Sharing Best Practices Guide: A comprehensive guide outlining best practices for securely sharing resources across different accounts, focusing on minimizing operational overhead while maintaining strict access controls.
Permissions Management Dashboard: A visual dashboard that displays real-time data on permissions granted to users and machines, enabling oversight and management of access within the organization.
Access Review Checklist: A checklist to ensure regular reviews of access permissions, ensuring they remain aligned with operational needs and security policies.
Role-Based Access Control (RBAC) Model Diagram: A diagram illustrating the role-based access control model implemented in the organization, detailing user roles and corresponding permissions for various resources.

Cloud Services

AWS

AWS IAM: AWS Identity and Access Management (IAM) allows you to control access to AWS services and resources securely. You can manage permissions for both people and machine identities through policies attached to IAM users, groups, and roles.
AWS Resource Access Manager (RAM): AWS RAM enables the sharing of AWS resources across different accounts and organizational units, reducing management overhead while keeping security controls intact.
AWS Organizations: AWS Organizations lets you create groups of AWS accounts and manage permissions and policies across them, facilitating secure resource sharing.

Azure

Azure Active Directory (AAD): AAD provides identity and access management capabilities for Azure services, allowing you to manage permissions securely for users and applications across your organization.
Azure Resource Manager: Azure Resource Manager enables you to manage your Azure resources through a centralized management layer with role-based access controls for resource sharing within your organization.

Google Cloud Platform

Google Cloud Identity: Google Cloud Identity offers identity and access management for Google Cloud resources, allowing you to manage access permissions for users and service accounts securely.
Google Cloud IAM: Google Cloud Identity and Access Management (IAM) provides fine-grained access control to manage who (users) has what access (roles) to which resources in your Google Cloud environment.

Question: How do you manage permissions for people and machines?
Pillar: Security (Code: SEC)

Operational Excellence

Determine what your priorities are

Structure your organization to support your business outcomes

Organizational culture to support your business outcomes

Implement observability in your workload

Reduce defects, ease remediation, and improve flow into production

Mitigate deployment risks

Be ready to support a workload

Uilize workload observability

Understand the health of your operations

Manage workload and operations events

Evolve your operations

Security

Securely operate your workload

Manage identities for people and machines

Manage permissions for people and machines

Detect and investigate security events

Protect your network resources

Protect your compute resources

Classify your data

Protect your data at rest

Protect your data in transit

Anticipate, respond to, and recover from incidents

Incorporate and validate the security properties of applications throughout the design, development, and deployment lifecycle

Reliability

Manage service quotas and constraints

Plan your network topology

Design your workload service architecture

Design interactions in a distributed system to prevent failures

Design interactions in a distributed system to mitigate or withstand failures

Monitor workload resources

Design your workload to adapt to changes in demand

Implement change

Back up data

Fault isolation to protect your workload

Design your workload to withstand component failures

Test reliability

Plan for disaster recovery (DR)

Cost Optimization

Implement cloud financial management

Govern usage

Monitor your cost and usage

Decommission resources

Evaluate cost when you select services

Meet cost targets when you select resource type, size and number

Use pricing models to reduce cost

Plan for data transfer charges

Manage demand, and supply resources

Evaluate new services

Evaluate the cost of effort

Performance

Select the appropriate cloud resources and architecture patterns for your workload

Select and use compute resources in your workload

Store, manage, and access data in your workload

Select and configure networking resources in your workload

Support more performance efficiency for your workload

Sustainability

Select Regions for your workload

Align cloud resources to your demand

Take advantage of software and architecture patterns to support your sustainability goals

Take advantage of data management policies and patterns to support your sustainability goals

Select and use cloud hardware and services in your architecture to support your sustainability goals

Implement organizational processes support your sustainability goals