Skip to content
Pablo Rodriguez

Managing Permissions

Managing Permissions

Section titled “Managing Permissions”

Challenge of Managing Permissions

Section titled “Challenge of Managing Permissions”

Assigning permissions directly to users is difficult to manage and becomes problematic as organizations scale:

Initial Configuration Issues

  • Each developer given full access to Amazon EC2 through policies attached to individual users
  • Results in complex individual policy management

Scaling Problems

  • Adding new access (like Amazon S3) requires modifying each user’s policy individually
  • With multiple users, this becomes time-consuming and error-prone
  • Administrative overhead increases exponentially with user count

IAM Groups Solution

Section titled “IAM Groups Solution”
Best Practice

Key Benefits

Section titled “Key Benefits”

Job Function Alignment: Permissions in a group can be based on job functions • Inheritance: All users in the group inherit the permissions assigned to the group • Simplified Management: Single policy changes affect all group members

IAM Group Characteristics

Section titled “IAM Group Characteristics”

• Add users to groups or remove them from groups easily • A user can belong to multiple groups • Groups cannot belong to other groups (no nesting) • Groups can be granted permissions using access control policies • Groups do not have security credentials and cannot access web services directly

IAM groups are collections of IAM users that make it easier to manage permissions for multiple users instead of managing permissions for each individual user separately.

Example Implementation

Section titled “Example Implementation”

When creating groups that reflect job roles: • Administrators Group: Li and Paulo • Developers Group: Mateo, Shirley, and Sofia
Test Group: Ana, Zhang, and Jane

When Ana transitions from testing to development:

  • Remove her from the test group
  • Add her to the developers group
  • Or keep her in both groups if she performs both functions

Policy Evaluation with Groups

Section titled “Policy Evaluation with Groups”

User Policy vs Group Policy

Section titled “User Policy vs Group Policy”

When both user policies and group policies apply to the same user, specific rules govern access:

Explicit Deny Override: User policies with explicit denies override group policy allows • Additive Permissions: Permissions from multiple sources combine, but denies take precedence

Example Scenario: Zhang has both user policy and group membership

  • User Policy: Allows S3 and DynamoDB, but denies Kinesis
  • Group Policy (Developer): Allows S3, Athena, DynamoDB, and Kinesis

Results:

  • ✓ Can access Athena (from group policy)
  • ✗ Cannot access Kinesis (explicit deny in user policy overrides group allow)

Role-Based Access Control (RBAC) Challenges

Section titled “Role-Based Access Control (RBAC) Challenges”

Traditional RBAC Setup Process

Section titled “Traditional RBAC Setup Process”
  1. Create IAM policy with permissions for the job role
  2. List individual resources to be accessed in the policy
  3. Attach policy to IAM entity (user, group, or role)

Scaling Issues with RBAC

Section titled “Scaling Issues with RBAC”

Policy Maintenance: Must update multiple policies when new resources are added • Resource Specification: Policies require listing each individual resource • Time-Consuming Updates: Modifications needed across multiple policies for role changes

Attribute-Based Access Control (ABAC)

Section titled “Attribute-Based Access Control (ABAC)”
Modern Approach

ABAC Definition

Section titled “ABAC Definition”

Authorization strategy that defines permissions based on attributes: • Attributes: Key or key-value pairs • AWS Implementation: Uses tags as attributes • Application: Tags can apply to IAM resources (users/roles) and AWS resources

ABAC Benefits

Section titled “ABAC Benefits”

Flexibility: More flexible than policies requiring individual resource listing • Granular Permissions: Enables fine-grained permissions without updating for every new user or resource • Scalability: Highly scalable approach to access control • Auditability: Fully auditable access patterns

Tags in AWS

Section titled “Tags in AWS”

Resource metadata consisting of key/value pairs: • User-Defined: Customers can create custom tags • Cross-Account: Tags can apply across AWS accounts and IAM users/roles • API Integration: Many AWS API operations return tag keys and values • Multiple Uses: Billing, filtered views, and access control

Example Tags:

  • Name: Web server
  • Project: Unicorn
  • Env: Dev

Tag Limitations:

  • Up to 50 tags per resource
  • Each tag key must be unique per resource
  • Each tag key can have only one value
  • Tag keys and values are case-sensitive

ABAC Implementation Example

Section titled “ABAC Implementation Example”

Development Team Setup

Attributes for Roles:

  • Env = dev, Project = maint (Maintenance Developers)
  • Env = test, Project = maint (Maintenance Testers)
  • Env = dev, Project = newdev (New Development Developers)
  • Env = test, Project = newdev (New Development Testers)

Resource Tagging

Resource Tags:

  • EC2 instances tagged with Env and Project
  • S3 buckets tagged for specific teams
  • Automatic access based on matching attributes

ABAC Implementation Process

Section titled “ABAC Implementation Process”
  1. Create Identities: Apply attributes to IAM users or roles for access control
  2. Require Attributes: Create policies enforcing attribute requirements during resource creation
  3. Configure Permissions: Set access permissions based on matching attributes between roles and resources
  4. Test Configuration: Verify resources cannot be created without required tags and test role-based access

Using ABAC, one policy can handle permissions for multiple roles and resources, significantly reducing administrative overhead compared to traditional RBAC approaches.

Summary

Section titled “Summary”

Managing permissions effectively requires moving beyond individual user policies to group-based and attribute-based approaches. IAM groups provide immediate benefits for role-based access, while ABAC offers the most scalable solution for complex, dynamic environments with frequent resource and user changes.