View profile

IAM Pulse Check #3 - Birth

IAM Pulse Check
IAM Pulse Check #3 - Birth
By Ivan Dwyer • Issue #3 • View online
Hey folks,
I’m excited to announce that we went live with the IAM Pulse community site last week, and have received an overwhelmingly positive response to the concept itself, and for our first batch of member contributed articles.
Any new community takes time to get going, but I am equally pleased and surprised at how enthusiastically people jumped on it. It feels timely to me – so few are IAM specialists, yet so many carry the responsibility. The surface area is growing and constantly changing, making it hard to reason with in the context of daily work. It’s becoming crystal clear that IAM is a discipline that warrants further dedication, not just a footnote.
Like any complex discipline, it’s best to take it in stride – on the way to becoming an expert is building more confidence. In simple terms, building confidence means responding to, “does this look right?” with greater conviction over time. When the status quo response is something like, “who’s to say?”, any improvement is miles ahead.
In that spirit, the content that we aim to bring into this community, and the conversations we will help facilitate amongst our members will both help derive a better fundamental understanding of the core principles behind IAM, and provide explicit examples of best practice use cases.
And just like the discipline itself, our team is taking community development in stride. As we crawl, walk, and run, we’d love to hear from you what would bring the most value. To break the ice, I’d love to hear what specific topics you want to learn more about. Could it be policy specifics like SCPs, Conditions, or Permission Boundaries? Workflow practices like code reviews, on and offboarding, or compliance reporting? Let us know by replying to this email, or giving us a shout on Twitter or LinkedIn.
Cheers,
Ivan

IAM checking these out...
The team has been working with a number of expert practitioners to kick off our community program with a bang. Here’s a sampling of our excellent member contributed articles. Have the itch to contribute yourself? See our publishing guide to learn more.
Whether getting back to it, or starting with it, understanding the basics are fundamental. A joke I often tell is that IAM is like the board game, Othello – a minute to learn, a lifetime to master. This article outlines the essentials, but does so in a practical way by peeking at the internals, and walking through a real use case.
www.iampulse.com  •  Share
A question I get asked a lot, and one I ask myself a lot, is, “what makes IAM so hard?” On the surface, it sounds fairly straightforward – who can do what under which conditions and when. This article does aa great job talking through the complexities, while introducing my new favorite terms, The Gulf of Execution and Evaluation.
www.iampulse.com  •  Share
The final decision of any AWS IAM request is a binary allow or deny, but the inputs into that decision can be many. The potential Confused Deputy Problem is critical to understanding how policies are evaluated, and what can go wrong in the chain. This article does a great job explaining how to limit the permissions you grant to service accounts using PassRole.
www.iampulse.com  •  Share
Our call for content asked folks if they have any IAM tricks up their sleeve… and this one is quite the trick! Service accounts are often overlooked, and frequently overprivileged. In the specific case of the AWS OpenSearch service, you can make an IAM user the primary authentication mechanism. But that user needs no IAM permissions to function, so best to grant them exactly that. Nice one!
www.iampulse.com  •  Share
Speaking of service accounts, Infrastructure as Code deployment pipelines need privileges to spin up and down resources. But right sizing deployment users can be tricky because so much depends on the contents of the workloads. The tempting thing to do is just grant AdministratorAccess so you don’t run into any failures, but that could easily get you into trouble. This article is a step by step example of creating a deployment user and explicitly assigning the right permissions needed to perform the right actions.
www.iampulse.com  •  Share
IAM listening to this...
It won’t always be the case that my most recent vinyl acquisition lines up with the newsletter topic, but the stars aligned on this one!
Sitting atop my “new arrivals” pile is an incredibly piece of soul jazz from Philly by an obscure group named Coalition. Their lone 1978 LP, Birth, was privately pressed in tiny quantities and handed out at local shows. Not much is known of this group, but it’s been a white wale of mine for some time, mostly the sublime vocal track, Thinking of You. By some miracle, I was able to score a clean original copy last week without breaking the bank. Amazing!
www.discogs.com  •  Share
From the depths of my personal collection
From the depths of my personal collection
Did you enjoy this issue?
Ivan Dwyer

Quick bite commentary and curation to help wrangle the complexities of cloud operations & security. Also puns and tunes.

In order to unsubscribe, click here.
If you were forwarded this newsletter and you like it, you can subscribe here.
Powered by Revue
Okta Inc. 100 1st St. San Francisco, CA 94105.