Cloud
Guardrails

Identity and Auth Starter Pack

Get Started with Easy Instructions
Cloud Guardrails

If you're interested in contributing guidance, please start with these instructions.

Filters
Filters
Categories
Clear
Maturity Level
Clear
Functions
Clear
Cloud Provider
Clear
Clear all
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Name
Categories
Maturity Level
Functions
CSPS
Author
IAM Service Users can only assume into a role which has actual permissions
Medium
AWS
Adam Cotenoff
Github Link
Summary
Creating IAM roles that have the necessary permissions, and then assigning those roles to the IAM users who require access to the resources allows you to centralize the management of permissions.
Applicable to
Always
When to use/avoid
Read More
Limit IAM users
Medium
AWS
Adam Cotenoff
Github Link
Summary
Limit the creation of new IAM users, and prefer using IAM roles when possible.
Applicable to
Always
When to use/avoid
Read More
Rotate IAM access keys
AWS
Adam Cotenoff
Github Link
Summary
Rotate IAM access keys where IAM users are still required
Applicable to
To IAM users
When to use/avoid
Read More
OIDC Integration for popular services
Medium
AWS
Will Bengtson
Github Link
Summary
Avoid using IAM users for popular services by creating a pattern to enable OIDC integrations.
Applicable to
Always
When to use/avoid
Read More
Restrict OIDC Integrations
Medium
AWS
Will Bengtson
Github Link
Summary
Restrict OIDC integrations so you don't have backdoor or rogue access.
Applicable to
Always
When to use/avoid
Read More
Multi-party approval (MPA) and multi-factor authentication (MFA) should be required for all changes to production
Medium
AWS
Adam Cotenoff
Github Link
Summary
Limiting engineers' access to production environments by managing infrastructure through Infrastructure as Code (IaC), enforcing identity-based changes, multi-party approval, MFA, and security linting helps ensure accountability, consistency, and reduces security risks.
Applicable to
Applies when a robust IaC CI/CD workflow is in place
When to use/avoid
Read More
Guardrails to prevent removal of security services/tooling
Medium
AWS
Adam Cotenoff
Github Link
Summary
Set up baseline security services by default (logging, monitoring, IAM, etc.) and prevent them from being removed.
Applicable to
This best practice applies particularly when using AWS Organizations to centrally manage multiple AWS accounts as a single entity.
When to use/avoid
Read More
Cloud Guardrails

If you're interested in contributing guidance, please start with these instructions.

Filters
Filters
Categories
Clear
Maturity Level
Clear
Functions
Clear
Cloud Provider
Clear
Clear all
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Name
IAM Service Users can only assume into a role which has actual permissions
Github Link
Categories
Maturity Level
Medium
Functionality
Cloud Provider
Author
Adam Cotenoff
Read More
Limit IAM users
Github Link
Categories
Maturity Level
Medium
Functionality
Cloud Provider
Author
Adam Cotenoff
Read More
Rotate IAM access keys
Github Link
Categories
Maturity Level
Functionality
Cloud Provider
Author
Adam Cotenoff
Read More
OIDC Integration for popular services
Github Link
Categories
Maturity Level
Medium
Functionality
Cloud Provider
Author
Will Bengtson
Read More
Restrict OIDC Integrations
Github Link
Categories
Maturity Level
Medium
Functionality
Cloud Provider
Author
Will Bengtson
Read More
Multi-party approval (MPA) and multi-factor authentication (MFA) should be required for all changes to production
Github Link
Categories
Maturity Level
Medium
Functionality
Cloud Provider
Author
Adam Cotenoff
Read More
Guardrails to prevent removal of security services/tooling
Github Link
Categories
Maturity Level
Medium
Functionality
Cloud Provider
Author
Adam Cotenoff
Read More
Process
Data
Architecture
Configuration
Change Management
Compliance
Identity
Cost Management
Reliability
Security
Standards