Chapter 36. Why Are Good AWS Security Policies So Difficult?

Stephen Kuenzli

Why is AWS IAM so @!#^$ hard?

Every cloud engineer

Short answer: first because the powerful AWS security model is complex, and second because modern application deployments change rapidly. Let’s examine why configuring good AWS security policies is so difficult.

The AWS Security Model Is Powerful but Complex

In the cloud, capabilities are delivered using services configured via APIs. Security capabilities are no exception. AWS security APIs enable customers to fulfill their security responsibilities within the AWS shared responsibility model.

Customers control access to their cloud resources and data by configuring security policies in the AWS security services. These security services evaluate the policies to allow or deny access. They include the organization’s IAM services, and more than 20 data services that support resource policies.

Five types of AWS security policies determine whether an API action will be allowed: Service Control, Identity and Access Management, Resource, Boundary, and Session. Expert users of these security services can create robust access controls.

But this large set of security services, resources, and policy language is complex, difficult to understand, and hard to test without breaking things. Engineers need to understand and configure multiple ...

Get 97 Things Every Cloud Engineer Should Know now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.