Requirement 5 - Manage identities and segregate privileges

The SWIFT instance operator role gives privilege to individuals who require EC2 access to install and troubleshoot SWIFT software like AMH, SAG and SNL.

The SWIFT infrastructure role enables you to control the states of the infrastructure components like EC2, Amazon MQ, and Amazon RDS for Oracle, and the ability to view the CloudWatch Logs.

Understand access level groupings – You can use access level groupings to understand the level of access that a policy grants. Policy actions are classified as List, Read, Write, Permissions management, or Tagging. For example, you can choose actions from the List and Read access levels to grant read-only access to your users. To learn how to use policy summaries to understand access level permissions, refer to Use access levels to review IAM permissions.

Validate your policies – You can perform policy validation using IAM Access Analyzer when you create and edit JSON policies. We recommend that you review and validate all of your existing policies. IAM Access Analyzer provides over 100 policy checks to validate your policies. It generates security warnings when a statement in your policy allows access it considers to be overly permissive. You can use the actionable recommendations that are provided through the security warnings as you work toward granting least privilege. To learn more about policy checks provided by IAM Access Analyzer, refer to IAM Access Analyzer policy validation.

Generate a policy based on access activity – To help you refine the permissions that you grant, you can generate an IAM policy that is based on the access activity for an IAM entity (user or role). IAM Access Analyzer reviews your AWS CloudTrail logs and generates a policy template that contains the permissions that have been used by the entity in your specified time frame. You can use the template to create a managed policy with fine-grained permissions, then attach it to the IAM entity. That way, you grant only the permissions that the user or role needs to interact with AWS resources for your specific use case. To learn more, refer to Generate policies based on access activity.

Use last accessed information – Another feature that can help with least privilege is last-accessed information. View this information on the Access Advisor tab on the IAM console Details page for a user, group, role, or policy. Last-accessed information also includes information about the actions that were last accessed for some services, such as Amazon EC2, IAM, Lambda, and Amazon Simple Storage Service (Amazon S3). If you sign in using AWS Organizations management account credentials, you can view service last- accessed information in the AWS Organizations section of the IAM console.

You can also use the AWS CLI or AWS API to retrieve a report for last-accessed information for entities or policies in IAM or Organizations. You can use this information to identify unnecessary permissions so that you can refine your IAM or Organizations policies to better adhere to the principle of least privilege. For more information, refer to Refining permissions in AWS using last accessed information.

Review account events in AWS CloudTrail – To further reduce permissions, you can view your account's events in AWS CloudTrail Event history. CloudTrail event logs include detailed event information that you can use to reduce the policy's permissions. The logs include only the actions and resources that your IAM entities need. For more information, refer to Viewing CloudTrail Events in the CloudTrail Console in the AWS CloudTrail User Guide.