Tips and Best Practices to Set Up Granular Access Control in AWS

Granular access control in AWS allows you to grant users and groups the least privilege necessary to perform their jobs. This helps to protect your AWS resources from unauthorized access.

Here are some tips and best practices for setting up granular access control in AWS:

• Use IAM roles. IAM roles allow you to grant permissions to users and groups without having to manage individual passwords. This makes it easier to manage permissions and ensures that users only have the permissions they need.

You could create an IAM role for developers that grants them permission to read application logs and investigate CI/CD workflows.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "logs:FilterLogEvents",
                "logs:GetLogEvents",
                "logs:GetLogRecord",
                "logs:GetLogGroupFields",
                "logs:GetQueryResults",
                "logs:StartQuery"
            ],
            "Resource": "arn:aws:logs:*:*:*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "codepipeline:GetPipeline",
                "codepipeline:GetPipelineState",
                "codepipeline:GetPipelineExecution",
                "codepipeline:GetPipelineState",
                "codepipeline:GetPipelineExecution"
            ],
            "Resource": "*"
        }
    ]
}        

You can then create an IAM role for operations engineers that grants them permission to create and manage EC2 instances:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeInstances",
                "ec2:StartInstances",
                "ec2:StopInstances",
                "ec2:TerminateInstances",
                "ec2:RebootInstances",
                "ec2:GetConsoleOutput",
                "ec2:CreateTags",
                "ec2:ModifyInstanceAttribute",
                "ec2:DescribeInstanceStatus",
                "ec2:DescribeTags"
            ],
            "Resource": "arn:aws:ec2:region:account-id:instance/*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeRegions",
                "ec2:DescribeVpcs",
                "ec2:DescribeSubnets",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeKeyPairs",
                "ec2:DescribeImages"
            ],
            "Resource": "*"
        }
    ]
}        

• Use IAM conditions. IAM conditions allow you to further restrict access to AWS resources based on specific criteria, such as the time of day, the IP address of the user, or the region where the resource is located.

You could use an IAM condition to restrict access to a specific S3 bucket to users in a specific AWS region.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::examplebucket/*",
            "Condition": {
                "StringEquals": {
                    "aws:RequestedRegion": "us-west-2"
                }
            }
        }
    ]
}        

• Use IAM tags. IAM tags allow you to organize and manage your AWS resources by adding metadata to them. You can then use IAM tags to create IAM policies that grant permissions based on the tags associated with your resources.

EC2 instances can be tagged with the project they are associated with. You could then create an IAM policy that grants developers permission to create and deploy EC2 instances that are tagged with the project they are working on.

{
    "Version": "2012-10-17",
    "Statement": {
        "Effect": "Allow",
        "Action": "ec2:RunInstances",
        "Resource": "*",
        "Condition": {
            "StringEquals": {
                "ec2:ResourceTag/Project": "${aws:PrincipalTag/Project}"
            }
        }
    }
}        

• Use AWS Organizations. This service allows you to centrally manage multiple AWS accounts. You can then assign Service Control Policies (SCPs) to OUs to grant permissions to users and groups across all of the AWS accounts in the OU.

In a multi-account AWS environment, AWS Organizations simplifies central management. By employing Service Control Policies (SCPs) at the account level, you can implement high-level restrictions.

For instance, in a production account, you may use SCPs to prevent IAM user creation and limit allowable regions. This enhances security and compliance by reducing the risk of accidental resource deployment and minimizing the attack surface.

Here's an example of SCP that prevents IAM user creation and limits allowable regions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": "iam:CreateUser",
            "Resource": "*"
        },
        {
            "Effect": "Deny",
            "Action": "ec2:RunInstances",
            "Resource": "*",
            "Condition": {
                "NotStringEquals": {
                    "aws:RequestedRegion": [
                        "us-east-1",
                        "us-west-2"
                    ]
                }
            }
        }
    ]
}        

Additional Tips

• Use a least-privilege approach. When assigning permissions to users and groups, only grant them the permissions they need to do their jobs. This helps to reduce the risk of unauthorized access to your AWS resources.
• Regularly review and update your IAM policies. Make sure that your IAM policies are still appropriate for your needs. You should also remove any unused users, groups, and roles.
• Use a cloud security posture management (CSPM) tool, such as AWS Security Hub. It performs security best practice checks, aggregates alerts, and enables automated remediation. This can help you to identify and remediate security risks in your AWS environment, but it also ensures that your granular access control policies are working as intended.

By following these tips and best practices, you can set up granular access control in AWS to help protect your resources from unauthorized access.