Access Management

[ilyesedina]

High-Level Plan

• Business value added by strengthening Access Management
• Least Privilege Access Principle
• IAM on AWS
• Azure AD (Active Directory)
• SSO
• SSO-OBO flow (on behalf of) -> approval

Questions to consider:

• Who owns the responsibility of IAM? Is it IT? The business? The people managers? HR?
• What are the most important aspects of IAM besides the technical controls of getting access to systems?
• Why is IAM considered a problematic discipline in a business?
• Why is it so hard to protect?

MVP

IBM Inro:

• YouTube IAM (3m)
• YouTube Zero Trust (17m)
• YouTube Identity and Access Management (31m)
• Privileged access management (4m)

Udemy

• AWS course

  • IAM AWS CLI (section: 4) - 55m
  • Identity and access management (advanced section: 25) - 48m

• IAM on AWS 5 hours

Outcome

• A repository for collecting notes
• Test IAM on AWS
• Bi-weekly follow-up sessions with my mentor starting Sunday, June 30

[ilyesedina]

Is it a best practice to separate out the access management from the source code? Additionally, what are some recommended strategies for implementing this separation effectively using Terraform, including considerations for repository structure, access control, and state management?

[ilyesedina]

How to create an IAM role? There are multiple ways that an IAM Role can be created, evaluate the different methods and decide which one to use:

UI Creation manual creation It is not recommended since everything should be terraformed (but the simplest to implement).

CloudFormation Template: Create it through the AWS console.

• Run the template for creating IAM policy
• Copy the JSON document and include it in the codebase repository.

Create it by Terraform:

• Guide
• Create a directory under terraform called init
• Script an IAM role with admin access (assign the right policies)
• Log in to AWS from terminal with Saml2 AWS with admin access to the accounts one by one to cover the tree env and plan
• Plan and Apply it locally with targeted apply to the resource.
• This directory wouldn't be included in the CI/CD since this would only need to be run once.