IAM Pulse Check #4 - The Time Is Now!
Talking time and keeping time, with a nod to an obscure Detroit jazz label in it for the communityRead Issue on Revue
Miles Davis famously said, “time isn’t the main thing, it’s the only thing.” Don’t worry, this isn’t turning into an inspirational quotes newsletter!
As technology professionals, time is hard to keep track of. While some things change rapidly in a short period of time, other things remain the same for what feels like forever. While some chant, “it’s time to build!”, others challenge, “is it time to fix yet?”
I’ve been thinking about timing a lot lately, and as mentioned in last week’s newsletter, I feel like now is the right time to give the IAM domain the dedicated attention it deserves. One reason being the constant struggle between building and fixing. Mature cloud teams are doing their best to answer with, “why not both?”, but that’s easier said than done. Bringing a Shift Left mentality to cross-functional workstreams is a great place to start, but it requires a lot of surrounding context and understanding to truly measure impact.
The level of specialization required to do this right is more than should be expected of development teams focused on building the best products, and it’s also only one of many things security teams have to juggle with. When a domain requires specialization, that means dedication.
Of the many anecdotes I’ve seen and heard in just the past few weeks to support this thesis, the Tweet below really popped as timely (no pun intended). Nothing says the time is now quite like a sense of urgency!
That said, not every company has the luxury of dedication, leaving most teams with the responsibility of becoming psuedo-specialists. Quite the burden to carry! That’s why it’s our mission as a team to up-level everyone’s understanding of the domain through shared knowledge and experiences, and the IAM Pulse community aims to be the place where you can come to learn and discuss the practice with your peers.
We’re early, but the time is now!
IAM checking these out...
NIST Special Publication (SP) 800-204C (Draft), Implementation of DevSecOps for a Microservices-based Application with Service Mesh
A strong signal for technology maturity is when NIST writes a special publication. Very procedural as always, this is a great document that details the goals, team structure, and workflows for DevSecOps teams. Pay special attention to the considerations for Infrastructure as Code in CI/CD pipelines.
Speaking of IaC in CI/CD pipelines, here’s a new open source tool from AWS that helps you determine whether an IAM policy attached to a CloudFormation stack is right sized. This is big – the more you can shift left IAM configurations, the better, but it can be challenging to understand impact by looking at code alone. The context of the environment is just as important.
It was a huge week for AWS announcements, and I’m still catching up on all the new goodies. One major, relevant announcement is the introduction of a uniform API service, making the experience of interfacing with various services more consistent – not just from a naming perspective, but also the expected behaviors. This is a major step in helping reason with the complexities of AWS.
IAM reading from the community...
In the spirit of automated CI/CD pipelines, one thing that’s easy to overlook – and I’m certainly guilty of it – is granting service accounts more permissions than they need. Terraform, for example, is responsible for creating and destroying resources, so naturally, it needs permissions to do so. But how do you know exactly what? This article is a good primer on using the open source iamlive tool to get ahead of it.
I love it when our members share their clever tips & tricks, and this one is a great one. The question is, how can you control the permissions of an EC2 instance in a time-based manner? One method is to leverage a trust relationship between an implicit role with no permissions that is assigned to an instance, and permissive roles that can be assumed on-demand. Very clever trick, indeed!
Comparing the blast radius of EC2 instances like in the prior article with that of Lambda functions, and you might find your head spinning. One of the benefits of a serverless architecture is the developer experience, but that may leave a mess of a security situation. Finding the right balance can be tricky for even the most mature DevOps teams. This is a fantastic article that breaks down the tradeoffs, while introducing a helpful win-win solution by using IAM permissions boundaries.
IAM listening to this...
There’s few jazz labels that carry as much prestige and mystique as Tribe Records from Detroit, despite only releasing a handful of titles in tiny quantities. One of the founders behind the label is trombonist and civil right activist Phil Ranelin, who brought together a collective of local talent that rivals any of the major labels of the time. Along with bootstrapping the record label, they also put out a magazine to empower black culture in the local community during tumultuous times. Few things represent community more than a tribe, and a strong and powerful representation of that is the Tribe Collective. Seeking out original copies of any Tribe release isn’t for everyone, but thankfully you can get your hands on the whole collection courtesy of the great work by Now-Again Records, who recently released this high quality box set.
Get the IAM Pulse Check Newsletter
We send out a periodic newsletter full of tips & tricks, contributions from the community, commentary on the industry, relevant social posts, and more.
Checkout past issues for a sampling of the goods.