[AG.SAD.6] Conduct periodic identity and access management reviews
Category: FOUNDATIONAL
With the distributed nature of DevOps Identity and Access Management (IAM) responsibilities, it is important to systematically review IAM roles and permissions periodically. This helps ensure that changes in roles and permissions align with the rapidly shifting needs of the organization, and that the guardrails set in place for delegation are working as intended or perhaps need to be fine-tuned. This activity aids in identifying unused or overly broad permissions, reinforcing the adherence to the principle of least privilege and reducing potential security risks.
Optionally, automate the right-sizing of permissions as part of these reviews. This proactive approach not only keeps IAM policies up-to-date, but also minimizes potential avenues for unauthorized access, further strengthening your overall security posture. Automatically right sizing roles and permissions based on actual activity allows organizations to scalably enforce that the right resources are accessible to the right entities, at the right times.
Related information:
-
AWS Well-Architected Security Pillar: SEC03-BP04 Reduce permissions continuously
-
Regularly review and remove unused users, roles, permissions, policies, and credentials
-
Use IAM Access Analyzer to generate least-privilege policies based on access activity
-
Verify public and cross-account access to resources with IAM Access Analyzer
