How can this company achieve these new security requirements while minimizing the administrative burden on the Operations team?

By:
In: SAP-C01
Tagged:
With: 1 Comment
A large company experienced a drastic increase in its monthly AWS spend.This is after Developers accidentally launched Amazon EC2 instances in unexpected regions.The company has established practices around least privileges for Developers and controls access to on-premises resources using Active Directory groups.The company now want to control costs by restricting the level of access that Developers have to the AWS Management Console without impacting their productivity.The company would also like to allow Developers to launch Amazon EC2 in only one region, without limiting access to other services in any region.

How can this company achieve these new security requirements while minimizing the administrative burden on the Operations team?

Set up SAML-based authentication tied to an IAM role that has an AdministrativeAccess managed policy attached to it. Attach a customer managed policy that denies access to Amazon EC2 in each region except for the one required.

Create an IAM user for each Developer and add them to the developer IAM group that has the PowerUserAccess managed policy attached to it. Attach a customer managed policy that allows the Developers access to Amazon EC2 only in the required region.

Set up SAML-based authentication tied to an IAM role that has a PowerUserAccess managed policy and a customer managed policy that deny all the Developers access to any AWS services except AWS Service Catalog. Within AWS Service Catalog, create a product containing only the EC2 resources in the approved region.

Set up SAML-based authentication tied to an IAM role that has the PowerUserAccess managed policy attached to it. Attach a customer managed policy that denies access to Amazon EC2 in each region except for the one required.

Explanations:

This option suggests using SAML-based authentication with an IAM role that hasAdministrativeAccess, which grants broad permissions. Although it adds a customer managed policy to deny EC2 access in regions except one, the initial permissions are too permissive, contradicting the principle of least privilege and exposing the environment to potential misuse.

Creating an IAM user for each Developer and assigning them to a group withPowerUserAccessis not optimal. While the custom policy can limit EC2 access to the required region,PowerUserAccessstill allows a wide range of actions on other AWS services, which may lead to unintended costs and does not enforce the restriction effectively.

While this option sets up SAML-based authentication and restricts access to AWS Service Catalog, it does not fulfill the requirement of allowing EC2 access in a specific region. The Developers would not be able to launch EC2 instances directly but only through the Service Catalog, which does not align with their needs for productivity.

This option establishes SAML-based authentication tied to an IAM role withPowerUserAccess, allowing necessary permissions for other services while attaching a custom policy to deny EC2 access in all regions except the specified one. This balances the need for access control with productivity, maintaining least privilege while effectively managing costs.

2025-09-29

1 Comment

  1. Ronald
    Author

    Based on what I know, the answer is:
    Set up SAML-based authentication tied to an IAM role that has the PowerUserAccess managed policy attached to it. Attach a customer managed policy that denies access to Amazon EC2 in each region except for the one required.

Leave a Reply to Ronald Cancel reply

Your email address will not be published. Required fields are marked *

eighteen − eleven =