S3 Provisioning Best Practices

PreviousUnderstanding Access Provisioning and Underlying Policies in Immuta NextIntegrating with Existing Catalogs

Last updated 2 months ago

Was this helpful?

S3 Provisioning Best Practices

Private preview: The Marketplace app is available to select accounts. Contact your Immuta representative for details.

Marketplace provisioning is really about making exceptions for specific users to get access to data when requested and approved. The key word there is "users."

If you manage access in AWS through IAM roles instead of users, user provisioning in Immuta must be done using IAM role principals. Because of this, Marketplace provisioning must be done to IAM roles instead of users, which means that if users share IAM roles then you end up in a situation where you over-provision (to everyone in the IAM role) upon Marketplace approval.

See below for the best practices to avoid this behavior.

Best and recommended option: Enable IDC

IDC is the best and AWS recommended approach because it treats users as users, not users as roles. And because of this, Marketplace provisioning upon approval is for the user that requested access and was approved, nothing more. No over-provisioning, only granular access.

Enabling IDC does not impact any existing access controls; it is additive. Immuta will manage the GRANTs using IDC if enabled and configured to Immuta for you.

Second best option: IAM role per user

Create an IAM role per user that is unique to that user and assign that IAM role to each corresponding user in Immuta. Ensure that the IAM role cannot be shared with other users. However, this approach can be a challenge because there is an which is one reason why IDC is the better approach.

Final option (not recommended): Request on behalf of IAM roles

In this approach, you create "users" in Immuta that map to each of your existing IAM roles. Then, when users request access to data products through the Marketplace, they of the IAM role "user" rather than themselves.

This is a poor approach because, again, it will mean everyone in that role will gain access, and adding future users to that role will also bypass approvals. But worse, it requires the approver to understand what role should have access to what (not to mention what users are already in that role) in order to make a reasonable determination on the request.