menu
techminis

A naukri.com initiative

google-web-stories
Home

>

Devops News

>

Enforcing ...
source image

Dev

1d

read

115

img
dot

Image Credit: Dev

Enforcing guardrails in the AWS environment

  • AWS offers its customers multiple ways to enforce guardrails – a mechanism to allow developers or DevOps teams to achieve their goals while keeping pre-defined controls.
  • Service control policies (SCPs) allow configuring maximum allowed permissions identities have over resources within an AWS organization.
  • Resource control policies (RCPs) allow configuring the maximum allowed permissions on resources within an AWS organization.
  • Declarative policies allow customers to centrally enforce desired configuration state for AWS services using AWS Organizations console, AWS CLI, CloudFormation templates, and AWS Control Tower.
  • Permission boundaries define the maximum permissions granted using identity-based policies attached to an IAM user or IAM role.
  • Each alternative serves a slightly different purpose for accessing resources within AWS Organizations at a large scale.
  • AWS does not grant any access by default - if an AWS service has not been allowed using an SCP somewhere in the AWS Organization hierarchy, no identity will be able to consume it.
  • Designing SCPs, RCPs, and Declarative policies as guardrails have limitations and a maximum size of 5120 and 10000 characters, respectively.
  • Permission boundaries also have their limitations and a maximum size of 6144 characters.
  • It is recommended to read AWS documentation and watch the lecture 'Security invariants: From enterprise chaos to cloud order from AWS re:Invent 2024' for better understanding.

Read Full Article

like

6 Likes

For uninterrupted reading, download the app