Search for Well Architected Advice
< All Topics
Print

Manage access based on life cycle

Managing permissions based on the user and machine lifecycle is crucial for maintaining a secure AWS environment. By integrating access controls with lifecycle events such as onboarding, role changes, and offboarding, organizations can reduce risks associated with unauthorized access.

Best Practices

Implement Automated Access Lifecycle Management

  • Utilize automation tools like AWS Lambda, AWS IAM, or third-party solutions to manage user access dynamically based on lifecycle events. This is essential to ensure that permissions are promptly revoked when a user leaves the organization or changes roles, minimizing security risks.
  • Integrate access management with your HR management system to trigger automatic updates to IAM roles and permissions when an employee’s status changes. This ensures consistency and reduces human error in access management.
  • Regularly audit IAM roles and permissions associated with users and applications to ensure outdated permissions are identified and removed. This is important for maintaining a principle of least privilege, reducing potential attack vectors.

Centralize Identity and Access Management

  • Adopt a centralized identity provider (IdP) to manage user identities across different AWS accounts and services. This simplifies permission management and helps maintain alignment with organizational roles and responsibilities.
  • Implement Single Sign-On (SSO) with your central IdP to streamline access management and improve security by reducing the number of credentials users need to manage.
  • Regularly review and update federated access policies to adapt to changes in roles, responsibilities, and organizational structure, ensuring that only designated users retain access to sensitive resources.

Establish Clear Access Policies and Procedures

  • Document access control policies that define who has access to which resources and under what conditions. Clear policies are critical for maintaining order and ensuring compliance with regulatory standards.
  • Train employees on access management policies, including the importance of notifying the security team about any role changes or departures. Effective communication helps reinforce security practices across the organization.
  • Schedule periodic reviews of access policies to ensure they evolve alongside business needs and remain relevant to security requirements. Keeping policies updated is vital for effective risk management.

Questions to ask your team

  • How do you ensure that access permissions are updated promptly when an employee leaves the organization?
  • What processes are in place to review and adjust permissions when a user’s role changes?
  • Do you utilize a centralized federation provider to manage access control across your AWS environment?
  • How frequently do you audit access permissions for both users and machines?
  • Are automated tools in place to help manage the lifecycle of access permissions?

Who should be doing this?

Identity and Access Management (IAM) Administrator

  • Define and implement access control policies based on user lifecycle events.
  • Manage user permissions and roles in accordance with organizational protocols.
  • Implement automated processes to revoke access when users leave the organization or change roles.
  • Regularly audit access permissions to ensure compliance with security policies.
  • Collaborate with HR to stay informed about personnel changes that may affect access rights.

Security Compliance Officer

  • Ensure adherence to security standards and regulations related to identity and access management.
  • Review and assess the effectiveness of the access control policies based on lifecycle management.
  • Conduct periodic reviews and audits of access controls and user permissions.
  • Provide training and awareness to staff regarding security practices and access management.

DevOps Engineer

  • Integrate access control mechanisms with application deployment and lifecycle management tools.
  • Ensure that access permissions are appropriately configured in automated deployment pipelines.
  • Collaborate with IAM Administrators to implement role-based access controls for development and production environments.
  • Monitor and respond to security incidents related to access management.

What evidence shows this is happening in your organization?

  • User Access Lifecycle Management Policy: A formal policy document outlining procedures for managing user permissions throughout their lifecycle, including onboarding, role changes, and offboarding processes.
  • Access Control Checklist: A checklist used by administrators to ensure that access permissions are granted, modified, or revoked based on lifecycle events, with reminders for regular audits.
  • Role-based Access Control (RBAC) Model Diagram: A visual diagram illustrating the roles within the organization and their access permissions according to employee lifecycle stages.
  • Federated Access Management Strategy: A strategic document detailing the integration of a centralized federation provider with access controls linked to the lifecycle of users and applications.
  • Access Revocation Runbook: A step-by-step guide for system administrators to follow when revoking user access due to role changes or terminations, ensuring compliance and security.

Cloud Services

AWS

  • AWS Identity and Access Management (IAM): IAM allows you to configure user permissions and roles, enabling you to manage access throughout the user lifecycle.
  • AWS Single Sign-On (SSO): AWS SSO simplifies the management of user access to AWS accounts and applications, allowing for centralized user management and access controls.
  • AWS Organizations: AWS Organizations helps manage billing, control access, and apply governance across multiple AWS accounts, aiding in lifecycle-based access management.

Azure

Google Cloud Platform

  • Identity and Access Management (IAM): GCP IAM allows you to manage access control policies and roles, making it easier to associate permissions with the lifecycle of users and resources.
  • Cloud Identity: Cloud Identity offers user management and lifecycle management tools to help manage permissions as user roles change.

Question: How do you manage permissions for people and machines?
Pillar: Security (Code: SEC)

Table of Contents