You are managing the AWS account of a big organization.
The organization has more than 1000+ employees and they want to provide access to the various services to most of the employees.
Which of the below mentioned options is the best possible solution in this case?
Click on the arrows to vote for the correct answer
A. B. C. D.Answer - D.
The best practise for IAM is to create roles which has specific access to an AWS service and then give the user permission to the AWS service via the role.
For the best practises on IAM policies, please visit the link:
http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.htmlOption C is the best possible solution for providing access to various AWS services to most employees of a big organization.
Creating separate IAM users for each employee (Option A) may become difficult to manage as the number of employees increases. It will also be time-consuming and challenging to provide and manage access policies for each individual IAM user.
Creating an IAM role and attaching STS with the role (Option B) is a good option when dealing with EC2 instances. However, this option will not work well for providing access to various AWS services to most of the employees in the organization.
Attaching IAM roles with the organization's authentication service to authorize each user for various AWS services (Option D) is a possible solution, but it may be challenging to manage and maintain.
Creating IAM groups as per the organization's departments and adding each user to the group for better access control (Option C) is the best possible solution in this case. It will enable better access control by organizing the users based on their departments and simplifying the management of access policies for various AWS services.
By creating IAM groups, the organization can provide access to various AWS services based on the department or team a user belongs to. For example, users in the finance department may require access to AWS services like Amazon S3 for data storage, Amazon Redshift for data warehousing, and Amazon RDS for database management. On the other hand, users in the marketing department may require access to AWS services like Amazon EC2 for hosting their websites and applications, Amazon CloudFront for content delivery, and Amazon Route 53 for DNS management.
The organization can create IAM policies for each department or team and attach them to the respective IAM groups. This way, each user added to the group will automatically inherit the policies assigned to that group, simplifying the management of access policies for various AWS services.