IAM Pulse Check #7 - Patterns
IAM - a minute to learn... a lifetime to masterRead Issue on Revue
One of my favorite parts of starting a new project is the abundance of discovery conversations to hear as many perspectives as I can. People with passion always bring their all to those chats, which I absolutely love. It’s then my job to uncover meaningful patterns, both in people’s career journeys & aspirations, and their job responsibilities & struggles.
IAM is a fascinating topic because the passion often lies in the nuance, and the challenge in the dimensions. IAM is deterministic, which makes it entirely predictable, but only with all of the right context. Mastering the craft means having a grasp on the nuances like a PassRole privilege escalation, and the dimensions like an SCP deny override, for example. Much like the classic board game Othello, IAM takes a minute to learn… a lifetime to master.
As a proponent of the Jobs To Be Done framework for product development, I’ve also been thinking about it in the context of our community and the content we’re collecting, curating, and creating. Our member authors have done a great job contributing their on-the-job expertise (no pun intended), and we’re starting to form a healthy catalog of usable reference materials (as intended).
We’re still very much in the early days here, but I’m starting to see some patterns emerge. In the most simplistic of terms, the career aspiration pattern is to know what you need to know about IAM to get the job done effectively – no more, no less. And the job responsibility pattern is to be able to confidently say, “this looks right” when writing or reviewing a policy.
What’s consistent about that is the desire to keep it simple amidst the depth of the nuance and dimensions. No easy task by any means, but that’s what we’re here to figure out!
IAM checking these out...
A solid collection of usable IAM policy examples for DynamoDB that are a bit more right sized than the default managed policies provided by AWS. A good one to bookmark if and when you find yourself hand crafting DynamoDB policies.
Cross-account role trust policies should trust AWS accounts, not roles, part 2 | by Ben Kehoe | Oct, 2021 | Medium
Ben Kehoe’s argument that cross-account trust policies should trust the whole account, not jut individual principals within the account stirred up a healthy amount of discussion online – so much so that he wrote a part 2 further clarifying the scenario and stance. What I appreciate about the original argument is the notion that the account is the right boundary to plan for – places more emphasis in designing the right account structure that fits your org. Good to understand the tradeoffs here, so I recommend reading and digesting both articles.
Gartner analyst Lydia Leong has never been one to hold back. Following an article where she (rightfully) tears apart the notion of multi-cloud portability, here’s an excellent and practical post on resilience architectures. It’s always important to place IAM in the context of the larger goal, which is designing a highly available, resilient, performant, and secure cloud environment.
IAM reading from the community...
There’s many dimensions to IAM policies, which makes right sizing them such a painstaking exercise. This article from Tobias Schmidt explains how to leverage permission boundaries to put select guard rails around identities.
Karen Tovmasyan is back with his second article in a series explaining the basics & terminology. Essential stuff for those early in their learning path.
IAM listening to this...
I’m long overdue for an Impulse Records release in this newsletter – the inspiration for our namesake. Oliver Nelson was a composer and saxophone player who cut a few albums for Impulse, most famously The Blues and the Abstract Truth in 1961. For me, it’s his 1966 release Sound Pieces that tops the list, with the upbeat and uplifting track Patterns. Just like last week’s featured album, this one can be found at a low price. Don’t get too used to that, I’ll be back to flexing my rarest pieces in no time ;)
Get the IAM Pulse Check Newsletter
We send out a periodic newsletter full of tips & tricks, contributions from the community, commentary on the industry, relevant social posts, and more.
Checkout past issues for a sampling of the goods.