In this lab we want to remove access of all developers ( dev1, dev2 and dev3) from customer data bucket (S3). Can we achieve it by removing S3 admin policy and creating S3 restricted policy, assign to developergroup. Why are we creating role and assigning it to one user (dev1) and then dev3 is assuming the role from dev1
2 Answers
I thought the same thing. Isn’t it best practice to just change to policy for the developer group so that Dev1, 2, and 3 all have the same restricted permissions?
Agreed, creating a policy for the user groups Devs with restricted access would work, however, assume that the devs are not on an equal playing ground. Meaning, that some devs are junior and others senior. The senior devs might have added responsibilities, which could be placed in a policy. Those added policies might not also be restricted to only the senior devs but to other resources in the company, such as HR. So, instead of creating policies that are specific, you create granular policies and add these granular policies to various user groups. Your architecture would be more loosely coupled. Hope this sheds some perspective.