I'm somewhat experienced with AWS, having worked with key services like EC2, S3, and IAM. Recently, I tried to grant my cofounder access to our AWS account so we could collaborate on some code, but I found the IAM Identity Center to be quite complex for just basic tasks like giving read access to a S3 bucket. I feel like IAM was much easier for this. Am I missing an easier method? What do other small teams do to handle account management without making it overly complicated? I'm tempted to just share our AWS account through 1Password!
5 Answers
Remember, there's always a security trade-off when prioritizing speed in a startup. There are several native access methods for AWS: Root Account Access, IAM Users, IAM Roles, and IAM Identity Center. I'd recommend setting up an organizational management account while avoiding sharing IAM User credentials. Be careful, as some AWS decisions can be tough to reverse, especially those related to security. Having an organized account structure will help streamline your access management later on.
It's best to create permission sets and adjust the IAM policy as needed. You can attach these sets to both users and groups, allowing for flexible access across single or multiple accounts. If you want to dig deeper, feel free to reach out!
We usually create organization units and permission sets in AWS. Just establish a role for your cofounder, add the necessary permissions, and apply it across all accounts. It’s honestly quite simple. You can even ask your AI assistant for detailed steps!
Most early startups opt for IAM users with permissions to assume roles in multiple accounts. The goal is to quickly validate your idea, so straight-up IAM users work best during these initial stages. Once you're established, migrating to IAM Identity Center is straightforward and can be done without any downtime. Focus on critical security measures first before complicating things with Identity Center. If you have AWS experience, managing IAM Identity Center via infrastructure as code is feasible too! Just create policies and assign them to users.
Another option is to create an IAM role with the permissions you want your cofounder to have and allow them to assume that role as needed. It's a simple and effective solution!
That's essentially the same function as what IAM Identity Center provides.