A new department has recently joined the organization and the administrator needs to compose access permissions for the group of users.
Given that they have various roles and access needs, what is the best-practice approach when granting access?
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answer - C.
The best-practice for AWS Identity Access Management (IAM) is to grant the least amount of permissions on the system only to execute the required tasks of the user's role.
Additional permissions can be granted per user according to the tasks they wish to perform on the system.
https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilegeOption A is incorrect because granting users access to the most common resources presents security vulnerabilities, especially from those who have access to resources they do not need.
Option B is incorrect because granting users the same privileges on the system means other users might get access to resources they do not need to carry out their job functions.
This presents a security risk.
Option D is incorrect because the users are part of the organisation; it will be cumbersome for the administrator to create temporal access passes for internal staff constantly.
When granting access permissions for a new department, the best practice approach is to grant each user the least privilege necessary to perform their job functions. This means that users should only be given access to the specific resources and privileges that they need to do their work, and no more.
Option A, which involves granting every user access to the most common resources and privileges, is not ideal because it can result in users having access to resources that they don't need, which can increase the risk of security breaches or accidental damage to the system.
Option B, which involves granting all users the same permissions and then granting more upon request, can be inefficient and time-consuming for the administrator, as they will have to field numerous requests for additional privileges. Moreover, it can lead to users having unnecessary access in the interim period while they wait for their request to be granted.
Option D, which involves granting users temporary access on an as-needed basis, can be an effective approach for highly sensitive or critical resources. However, it can be impractical for everyday work and can result in delays and inefficiencies if users have to wait for access every time they need to perform a task.
Therefore, option C, which involves granting all users the least privilege and adding more privileges only to those who need it, is the best-practice approach for granting access permissions. This approach ensures that users only have access to the resources they need to do their jobs, which reduces the risk of security breaches or accidental damage to the system. It also simplifies access management for the administrator and reduces the number of requests for additional privileges.