Hey everyone! We're managing around 25 AWS accounts in our organization and using Okta for our identity provider, with the Identity Center to handle IAM SSO roles. I'm trying to figure out how to properly manage the approval process when users request to add permissions to their existing sets. Sometimes they even need cross-account access, which complicates things when we have multiple teams overseeing resource management. Typically, the user's manager and the team owner both need to approve these requests, but I'm curious if there are more efficient processes other organizations use for these kinds of situations. Any insights?
2 Answers
We approach this by using Terraform for our infrastructure management. Every change goes through a GitHub pull request and requires approval from our platform engineering team that oversees all infrastructure and AWS accounts. It really helps streamline the process. Do you not have a dedicated team for managing identity and authentication, or one for AWS account governance? If you're lacking that, it might be more of a process issue rather than a technical one.
Exactly! Also, once permissions get approved, who actually applies them? Is it the platform team that handles that?
With Okta, you can let users assume roles in their accounts, which is a good practice for tracking and auditing. You just set up a new assumable role for users needing access. This way, you manage permissions at the role level rather than at the user level within your identity management. It's a more centralized approach.
I’m actually trying to understand the governance side of the approval flow better.
But they mentioned they're using IAM Identity Center, so ideally, they won't need to revert to regular IAM roles for human access.
We do have AWS account owners, but not every resource has dedicated owners. For example, some permissions are tied to services like SNS or SQS, which complicates the matter.