Can anyone explain to me how to use a group and still be able to maintain least privilege?
1 Answers
The reason best practices say to use Groups rather than Users is because in many companies there will be more than 1 person that is doing some role. Additionally, peoples roles change, people leave, go on vacation etc. Furthermore, companies following least privilege will not have a single policy, but many policies. These are all easier to handle if you use Groups.
Scenario 1:
You have 5 developers and 1 administrator. You create a Group for the developers and assign the Administrator role directly to your admin. Tomorrow, a new admin joins the team. If you had a Group for Admins you could’ve just added the new admin to the same group and they would inherit the same permissions.
Scenario 2:
You have 5 developers, but 1 will be going on vacation for 2 weeks. Security states that the employees permissions are revoked during their leave and restored when they return. If you had 1 Group for Developers and 1 Group for Vacation you could just put that person in both groups at the same time and the Vacation policy would block access (if it’s written properly). Then when they return just remove them from the vacation group. Using Users or Policies you would have to attach a different policy to them or remove the policies they had already.
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html
I hope this helps you. Let me know if you have more doubts.
Great, thank you!