SEC03-02 Assigning Appropriate Permissions on Demand
Permissions management must adhere to the principles of on-demand allocation, least privilege, and separation of duties (SoD). Users should be assigned access permissions to critical service systems strictly based on their job responsibilities, preventing unauthorized access to sensitive systems and data. If temporary permissions are required, grant only the specific permissions necessary for performing designated tasks within a limited timeframe. Once the tasks are completed, these temporary permissions must be revoked.
- Risk level
High
- Key strategies
- Organize user groups based on IT functions and add users to the corresponding groups. An IAM user group is a collection of IAM users. User groups let you specify permissions for multiple users.
- It is recommended to grant permissions to user groups rather than individual users.
- The "admin" group is the system's default administrator group, possessing operational permissions across all cloud service resources. Do not add all users to the "admin" group.
- Assign only the minimum necessary permissions to user groups. For instance, some user groups may only access specific cloud services, or have read-only permissions on cloud service resources.
- Do not include the *:* management permissions in custom IAM policies.
- If enterprise projects are utilized, prioritize assigning permissions to user groups within those enterprise projects. To grant permissions for all resources across all regions or specific regions under an account, consider using IAM projects to streamline the authorization process.
- Related cloud services and tools
- Identity and Access Management (IAM)
- Enterprise Project Management Service (EPS)
- Cloud Bastion Host (CBH): Use CBH to restrict and control the use and access of O&M accounts. CBH provides centralized management and fine-grained access control over O&M account permissions to systems and resources.
- Organizations: In multi-account scenarios, leverage Service Control Policies (SCPs) within Organizations. The organization management account can use SCPs to define permission boundaries for member accounts, ensuring adherence to the organization's access control guidelines. SCPs can be associated with organizations, organizational units (OUs), and individual member accounts, impacting all accounts within their scope.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot