SEC02-BP06 Leverage user groups and attributes
As the number of users you manage grows, you will need to determine ways to organize them so that you can manage them at scale. Place users with common security requirements in groups defined by your identity provider, and put mechanisms in place to ensure that user attributes that may be used for access control (for example, department or location) are correct and updated. Use these groups and attributes to control access, rather than individual users. This allows you to manage access centrally by changing a user’s group membership or attributes once with a permission set, rather than updating many individual policies when a user’s access needs change.
You can use AWS IAM Identity Center (IAM Identity Center) to manage user groups and attributes. IAM Identity Center supports most commonly used attributes whether they are entered manually during user creation or automatically provisioned using a synchronization engine, such as defined in the System for Cross-Domain Identity Management (SCIM) specification.
Level of risk exposed if this best practice is not established: Low
Implementation guidance
-
If you are using AWS IAM Identity Center (IAM Identity Center), configure groups: IAM Identity Center provides you with the ability to configure groups of users, and assign groups the desired level of permission.
-
Learn about attribute-based access control (ABAC): ABAC is an authorization strategy that defines permissions based on attributes.
Resources
Related documents:
Related videos:
Related examples: