This chapter covers
- Creating best practices to improve and evaluate your IAM configuration
- Applying least privilege access control to reduce risk in the event of an attack
- Evaluating credential expiration times to balance security and convenience
- Reviewing IAM resources periodically to ensure your configuration is secure
As we saw in chapters 2 and 3, there are multiple ways to do the same thing in IAM. You can grant permissions directly to a user or have them applied through a group. You can write a policy inline on the user, or you can attach a managed policy. The last chapter explained how to do all of these things, but it didn’t explain when to do them. I wish I could say this chapter had the answer to when you should use each of the features of IAM. Unfortunately, it’s not that easy. There are trade-offs to every feature, and when you should use them largely depends on the needs of your organization. This chapter will help you create your own best practices for how and when to use different features of IAM.