S3 Provisioning Best Practices

Private preview: The Marketplace app is available to select accounts. Reach out to your Immuta representative for details.

Marketplace provisioning is really about making exceptions for specific users to get access to data when requested and approved. The key word there is "users".

With AWS, unless you have recently migrated to AWS Identity Center (IDC) then all your access is managed through IAM roles and not individual users. Because of this, Marketplace provisioning must be done to IAM roles instead of users, which means that if users share IAM roles then you end up in a situation where you over-provision (to everyone in the IAM role) upon Marketplace approval.

See below for the best practices to avoid this behavior.

IDC is the best and AWS recommended approach because it treats users as users, not users as roles. And because of this, Marketplace provisioning upon approval is for the user that requested access and was approved, nothing more. No over-provisioning, only granular exceptions.

Second best option: IAM role per user

Create an IAM role per user that is unique to that user and assign that IAM role to each corresponding user in Immuta. Ensure that the IAM role cannot be shared with other users. However, this approach can be a challenge because there is an IAM role max limit of 5,000 per AWS account which is one reason why IDC is the better approach.

Final option: Request on behalf of IAM roles

In this approach, you create "users" in Immuta that map to each of your existing IAM roles. Then, when users request access to data products through the Marketplace, they request on behalf of the IAM role "user" rather than themselves.

This is a poor approach because, again, it will mean everyone in that role will gain access, and adding future users to that role will also bypass approvals. But worse, it requires the approver to understand what role should have access to what (not to mention what users are already in that role) in order to make a reasonable determination on the request.

Last updated

Self-managed versions

2024.32024.22024.1

Copyright © 2014-2024 Immuta Inc. All rights reserved.