What’s the Best Way to Secure AWS Access for My Startup?

If you go with the Identity Center, consider implementing SAML for SSO and using AssumeRoleWithWebIdentity for CI authentication. While tools like Vault can help manage access, they add unnecessary complexity at this stage.

You're correct in wanting to ditch access keys—they're risky and can easily be leaked. If you must use them, they should have the least amount of permissions possible. The IAM Identity Center is indeed the right way to go for user access to the CLI or console. For IaC, check best practice resources from AWS or your IaC vendor to see what fits your setup.

Yes and no! While you can end up using user/password with IAM users or Identity Center users, the main benefit of Identity Center is its integration with identity providers, automatic management of credentials, and scalability for multiple accounts. It's advisable to avoid access keys entirely—use temporary credentials and set up proper IAM roles instead. Also, enable MFA for all users.

Absolutely, you should avoid using access keys whenever possible. Instead, employ the IAM Identity Center for your users. It's a good practice to set up separate accounts for production, QA, development, and sandbox environments. Also, for CI/CD pipelines, use OIDC instead of access keys. Just ensure that your main branch access is tightly controlled.

Definitely check out AWS's Well Architected Framework. It covers best practices for account access and security and is a great resource as you build out your startup's environment.