Managing AWS Permissions for Multiple Environments

AWS IAM in Enterprise Environments: Designing Secure, Scalable, and Auditable Access Controls Managing Identity and Access Management (IAM) at scale on AWS requires more than creating roles and policies—it demands least privilege enforcement, continuous monitoring, and automation to keep infrastructure secure and compliant. In a recent multi-account AWS project, I designed a centralized IAM governance framework to control identities, workloads, and permissions across EKS clusters, serverless workloads, and hybrid on-prem integrations. Key Implementations: IAM Architecture at Scale: Used AWS Organizations + SCPs to enforce org-wide security boundaries while isolating environments (dev, staging, prod) at the account level. Least Privilege Model: Built fine-grained IAM policies using condition keys, resource-level constraints, and time-based access restrictions. Federated Authentication: Integrated AWS IAM Identity Center (SSO) with Azure AD for workforce identities and implemented Workload Identity Federation for Kubernetes, avoiding static access keys. Automated Permission Management: Integrated CI/CD pipelines with Terraform to provision IAM roles, policies, and trust relationships, embedding policy validation checks via terraform-compliance and checkov. Privilege Escalation Prevention: Monitored IAM roles using IAM Access Analyzer and CloudTrail Insights to detect unused permissions, privilege escalation paths, and policy drift. Secrets and Key Management: Centralized credentials in AWS Secrets Manager and KMS with automatic rotation, encrypting sensitive data at rest and in transit. Compliance & Auditing: Streamlined evidence gathering for SOC2, HIPAA, and ISO 27001 audits using CloudTrail, Config, and Access Analyzer to produce real-time reports on identity activity. Outcome: We achieved zero standing admin privileges, automated IAM provisioning, and reduced manual access requests by 80%, all while maintaining audit readiness and improving operational security posture. #AWS #IAM #CloudSecurity #DevOps #SRE #InfrastructureSecurity #AccessManagement #AWSOrganizations #Kubernetes #Terraform #SecretsManager #CloudTrail #PlatformEngineering #CloudGovernance #OpenToWork #C2C #C2H #JobSearch

Most multi-account AWS setups grow the same way. One account becomes two. Two becomes five. Then someone is clicking through the console trying to remember which account has which guardrails. Here's how we manage AWS Organizations and SCPs in Terraform so the guardrails stop drifting: The drift starts the first time someone changes an SCP through the console. It works. Nobody documents it. Six months later you're debugging a broken deployment because an SCP is silently blocking an API call. We treat any console-based SCP change as immediate technical debt. First, the misconception worth clearing up: SCPs are a ceiling, not a floor. An SCP that allows s3:* doesn't grant anyone access. It just means S3 access isn't blocked at the org level. IAM still has to permit it. SCPs only restrict. Our OU structure: • DevOps (CI/CD, internal tooling) • Internal Developments (R&D) • Partner (AWS partner accounts) • Sandbox (with spend cap SCP) • Security (logs, locked down) Five SCP patterns we ship on every engagement: 1. Deny root user access on every workload OU 2. Region lockdown with global service exemptions (the NotAction list trap that breaks IAM and STS if you skip it) 3. Deny leaving the organization 4. Protect security tooling (CloudTrail, Config, GuardDuty, Security Hub) with a break-glass IAM role for incidents 5. Sandbox spend cap that blocks expensive instance types at the policy level Before any SCP touches a production OU, four checks: • Run aws accessanalyzer validate-policy on the JSON • Test on an isolated sandbox account first • Run it through the IAM Policy Simulator • Use describe-effective-policy to confirm what actually applies The drift catcher: an EventBridge rule that fires on every Create/Update/Delete/Attach/Detach Policy event. If anyone touches an SCP outside Terraform, an SNS alert fires immediately. SCP changes ship through GitLab CI with manual apply. Every change requires a merge request, a plan output as an MR comment, and sign-off from a tech lead and a senior engineer. Four common mistakes we still see: 1. Removing FullAWSAccess from root. Every account loses access instantly. 2. Incomplete NotAction list. IAM and STS fail in confusing ways. 3. Workloads in the management account. SCPs don't apply there, by design. 4. Blocking iam:CreateRole broadly. Service-Linked Roles fail silently and the errors don't point to the SCP. Full breakdown of the OU structure, the exact SCP JSON, the testing protocol, and the pipeline in this week's newsletter. Read it here: https://lnkd.in/eBPZsZDR Subscribe so you don't miss the next: https://lnkd.in/efpcmnTk

🔐 Managing multiple AWS accounts can feel like herding cats... unless you know the secret. Have you ever felt overwhelmed juggling permissions, budgets, and guardrails across multiple AWS accounts? You're not alone. As organizations scale, multi-account setups become essential — for isolation, cost tracking, and security. But without the right controls in place, things can spiral fast. That’s where AWS Organizations + Service Control Policies (SCPs) step in. Here’s how they help: • Centralized governance — Define guardrails from a management account. • Prevent risky actions — Block dangerous services/org-wide before they’re even used. • Simplify auditing — One place to monitor and control permissions. • Enable team autonomy — Let devs innovate within secure boundaries. 🔒 Quick heads-up: When an SCP is present, IAM policies grant access only if both the IAM policy AND the SCP allow the action. It’s a two-key system — both must say “yes” for access to be granted. Think of SCPs as your “master switchboard” — setting the maximum permissions available, regardless of IAM roles in the child accounts. One tip I always recommend: ✅ Start with deny-by-exception — deny everything and allow only what’s needed. Then, iterate safely as your org matures. 📌 Bonus: Use Organizational Units (OUs) to apply policies to different teams like Dev, QA, Prod — clean and scalable. SCPs don’t replace IAM — they reinforce it. Like a safety net. 👇 How do you manage access across multiple AWS accounts? Would love to hear your go-to practices! #AWS #CloudSecurity #DevOps