How should the security team prevent privilege escalation for both teams?
Enable AWS CloudTrail. Create a Lambda function that monitors the event history for privilege escalation events and notifies the security team.
Create a managed IAM policy for the permissions required. Reference the IAM policy as a permissions boundary within the development team’s IAM role.
Enable AWS Organizations. Create an SCP that allows the iam:CreateUser action but that has a condition that prevents API calls other than those required by the development team.
Create an IAM policy with a deny on the iam:CreateUser action and assign the policy to the development team. Use a ticket system to allow the developers to request new IAM roles for their applications. The IAM roles will then be created by the security team.
Explanations:
While enabling AWS CloudTrail and using a Lambda function for monitoring can provide visibility into privilege escalation events, it does not prevent privilege escalation in real-time. This option focuses on detection rather than prevention.
Creating a managed IAM policy and using it as a permissions boundary effectively restricts the permissions that the development team can assign to the roles they create. This allows the security team to maintain control over the maximum permissions available to developers, thus preventing privilege escalation.
Enabling AWS Organizations and creating a Service Control Policy (SCP) to allow specific actions can help manage permissions, but it does not specifically prevent developers from creating IAM roles with escalated privileges. The SCP’s conditions may also complicate the management and flexibility required by the development team.
While this option does restrict the development team’s ability to create IAM roles directly and requires a ticketing system for role creation, it introduces significant management overhead and delays in provisioning roles. This solution is less efficient and does not effectively balance the need for developer autonomy with security.