A new department has recently joined the organization and the administrator needs to compose access permissions for the group of users.
Given that they have various roles and access needs, what is the best-practice approach when granting access?
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answer - C.
The best-practice for AWS Identity Access Management (IAM) is to grant the least amount of permissions on the system only to execute the required tasks of the user's role.
Additional permissions can be granted per user according to the tasks they wish to perform on the system.
https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilegeOption A is incorrect because granting users access to the most common resources presents security vulnerabilities, especially from those who have access to resources they do not need.
Option B is incorrect because granting users the same privileges on the system means other users might get access to resources they do not need to carry out their job functions.
This presents a security risk.
Option D is incorrect because the users are part of the organisation; it will be cumbersome for the administrator to create temporal access passes for internal staff constantly.
The best-practice approach when granting access to a new department with various roles and access needs is to grant all users the least privilege required to perform their job function, and then add more privileges only to those who need it.
This approach is commonly known as the principle of least privilege (PoLP) and is a fundamental security concept in which users are granted the minimum level of access required to perform their job functions, and nothing more. This helps to reduce the risk of accidental or intentional misuse, unauthorized access, and other security incidents.
To implement the principle of least privilege, the administrator should first gather information on the users' job functions and access needs, and then carefully review the resources and privileges required to perform those tasks. Based on this analysis, the administrator can then grant access to only the resources and privileges that are necessary for each user to perform their job functions.
It is important to note that this approach may require more upfront planning and administration to ensure that users have the necessary access to perform their job functions, but it will ultimately reduce the overall risk of security incidents and unauthorized access.
The other answer options are not the best practice approach to granting access to a new department with various roles and access needs.
Option A, which involves granting every user access to the most common resources and privileges on the system, is not an appropriate approach as it may lead to users having more access than they require, increasing the risk of security incidents.
Option B, which involves granting all users the same permissions and then granting more upon request, is also not recommended as it may lead to unnecessary access and security risks.
Option D, which involves granting users no access and only granting temporary access when needed, may be appropriate in some situations, but is not the best practice approach as it can be inconvenient and may not provide users with the necessary access to perform their job functions.