Hacker News new | past | comments | ask | show | jobs | submit login

IAM policies can be so complex, that become close to unusable.

Use multiple AWS accounts, and keep your policies simple. One account for DB, one for the backend servers, etc. Each environment (prod, staging, dev) also gets its own set of accounts.

This way, a misconfigured policy won't give admin access to everything.




Wouldn't that lead to cross account policies, which appear to be even more quirky?


In my practice? Not really.

For resources like databases, you don't need cross-account access if you're using internal DB authentication systems. For IAM-based DB authentication, you can simply write policies to trust the target accounts.

Occasionally, you'll need to create a cross-account trust (via AssumeRole), but it's not at all that frequent.

My personal wish is for AWS to allow account _names_ instead of ID numbers in policies.


Yeah, error messages start to become more opaque as well which makes debugging even tougher, which is kind of the opposite of the point of using multiple accounts. But really, AWS not having proper namespaces in its constructs that’s ubiquitously supported (IAM paths were attempted. Attempted) hampers a lot of things


Having one account per database/backend/frontend is not only overkill, but actually a bad practice. You're going to have to expose your DB to the internet instead of having everything inside a single VPC.

What you should do instead is have one account per environment (as you said).


I've recently stumbled upon the possibility to share a VPC and use one VPC with multiple accounts: https://docs.aws.amazon.com/whitepapers/latest/building-scal...

I'm honestly not sure if thats a great idea, but this might be a possible way to do one account per DB/backend/frontend in a somewhat sane way.


I do this. Technically you share the subnets. It's a fantastic pattern and enables greater autonomy for application teams. They're given an AWS account per app environment (e.g. WidgetApp Test, WidgetApp Prod, etc) and are able to build their stuff and attach it to existing subnets without a care about 'how' it communicates with the Internet or the greater organization.


It's a great idea if you know how manage it. This is current recommended practice for corporate. Single Network account that interconnects everything and dishes out subnets to other accounts for use exclusively by them.


It's fine, but you're going to attract a lot of network costs bridging data between AWS accounts.

Generally I'd stick to accounts per environment, you'll be worrying about a lot more when you get to FAANG scale.


Sharing a VPC between accounts with AWS RAM incurs no network costs between the accounts and greatly simplifies AWS networking. Additionally you can share and re-use security groups from the shared vpc across account boundaries.


Hey thank you! I didn't know that, I was still stuck in the thoughts of using Transit Gateways between accounts which of course attracts $$$.


oh, that's cool, I didn't know that was possible.

That said, I still think it's overkill and doesn't bring any real benefit? Sure you're reducing the blast radius of a security breach, but are the overcomplications worth it? Also, you now have to manage multiple accounts with multiple policies and users / roles, won't that extra complexity actually increase the attack surface?


> Having one account per database/backend/frontend is not only overkill, but actually a bad practice.

That's how AWS works internally. A team can easily have several hundred accounts: one for each region, and for each env.

You absolutely need tools to manage them, and AWS is not great in this regard. IAM Identity Center is a good first step, but its usability sucks compared to the AWS internal tool (called "Isengard").

> You're going to have to expose your DB to the internet instead of having everything inside a single VPC.

There are several ways to NOT do this. The easiest one is to use IPv6 with your own block (you can get it from ARIN for around $100). Then split it into "public" and "private" subnets, and install a network ACL prohibiting external connections into the private subnet.


You'll find that a plan like this is not overkill once you outgrow single accounts. Though I would do one account per system with Shared VPCs instead.


We use peered VPCs at work. We have a central account per environment that has the VPC that's shared to all the other accounts in that environment for databases etc.

To be honest, I'd probably prefer a single account per environment. But managing the IAM for that would be much more work.


You can peer-connect vpcs cross-account


Up to 125 peers before you have to setup a transit vpc which is a lot more complex


Transit gateway can have 5000 VPCs connected in a region, and you have multiple TGWs. And rather than have a VPC per account you can use Shared VPCs instead.


I honestly can't imagine a situation where this would be a good advice. Can you give an example of such an IAM policy?


For example, if you want your CI/CD to deploy to CloudFormation and allow it to generate IAM resources, then it's essentially root-level access. Because you can simply create an IAM role that gives admin permissions to you.

Or even without that, there are plenty of footguns. AWS has a good blog post: https://aws.amazon.com/blogs/security/protect-sensitive-data...


One account per system and environment with shared vpcs is great.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: