If you ask 100 people what the ultimate Halloween song is, I bet 99 would say Thriller. I’m that one hip hop nerd who’d say Freaks Come Out At Night.
As I do every year at this time, I combed through my boxes of hip hop records that don’t get much play anymore to grab that classic Whodini LP. What’s different about this year is the mental association. IAM is a lot like Whodunnit or Whocandoit. That’s right – the puns don’t stop like the party don’t stop!
As mentioned during last week’s newsletter, a lot of what makes IAM complex is the surrounding nuance and the multiple dimensions. Every individual request is deterministic, so once you have all the inputs and understand the evaluation logic, the results are always predictable.
Where it’s easy to get tripped up is in the framing once you zoom out from a request to an environment. As-in, given a resource, who can access and under what conditions? Or given a role, what can it do and who can assume it? This becomes less deterministic and more of an exercise in painstaking enumeration.
Digging into the dimensions behind the Who and the What has been insightful for our team, but where the real fun comes into play is when you get to the Why. That’s when you start to get to the heart of least privilege. Because without the Why, it wouldn’t matter that much what the right size is.
There can be different perspectives to the Why, which is a key reason that IAM is as much of a people challenge as it is a technical challenge. The Why for a developer could be, “my Lambda function needs to write to that S3 bucket, connect to that RDS instance, and pull from that SQS queue.” The Why for Security could be, “that data is tagged for PCI compliance, you can’t grant access for that service account.”
Navigating these conflicting perspectives can be hard, but the more understanding of the Why helps bring alignment where it’s needed.