I'm reaching out to understand how organizations generally handle user requests for permission updates in existing permission sets or when creating new IAM roles. Currently, our IAM team is quite small, consisting of just three members, and we are overwhelmed with requests for modifications or new roles. This becomes quite challenging since we often lack sufficient context to know exactly what permissions are needed. We're committed to enforcing least-privilege access, but it often leads to lengthy troubleshooting and iterations. I'm keen to know how to streamline this process, manage permissions while maintaining minimum exposure, and establish a standardized access request process. Any best practices or real-world examples would be truly helpful!
1 Answer
One efficient approach is to make the process self-service. Provide users with guidelines and set up automated permissions where possible. By using Service Control Policies (SCPs) and Infrastructure as Code (IaC), you can allow experimentation in isolated environments while avoiding bottlenecks in the permission approval process. It's really about tailoring the implementation to your organization's culture and needs.
Could you share some specific examples of how you've set this up? That'd be super helpful!