SEC 4. How are you defining roles and responsibilities of system users to control human access to the AWS Management Console and API?
The current best practice is for customers to segregate defined roles and responsibilities of system users by creating user groups. User groups can be defined using several different technologies: Identity and Access Management (IAM) groups, IAM roles for cross-account access, Web Identities, via Security Assertion Markup Language (SAML) integration (e.g., defining the roles in Active Directory), or by using a third-party solution (e.g., Okta, Ping Identity, or another custom technique) which usually integrates via either SAML or AWS Security Token Service (STS). Using a shared account is strongly discouraged.
Best practices:
ï‚· IAM users and groups
ï‚· SAML integration
ï‚· Web Identity Federation
ï‚· AWS Security Token Service (STS)
ï‚· IAM roles for cross-account access
ï‚· A solution from the AWS Marketplace (e.g., Okta, Ping Identity, etc.) or from an APN Partner
ï‚· Employee life-cycle policies are defined and enforced
ï‚· Users, groups, and roles are clearly defined and granted only the minimum privileges needed to accomplish business requirements