SEC02-BP06: Employ user groups and attributes
As the number of users you manage grows, you need to reduce the overhead of managing access. Place users with common security requirements in groups defined by your identity provider, and put mechanisms in place to ensure that user attributes that may be used for access control (such as department or location) are correct and updated.
Implementation guidance
Managing access for individual users becomes increasingly complex as your organization grows. By using groups and attributes, you can implement scalable access management that reduces administrative overhead and ensures consistent access control across your AWS environment.
Key steps for implementing this best practice:
- Design your group structure:
- Identify common access patterns in your organization
- Create groups based on job functions or roles
- Consider organizational structure when designing groups
- Plan for nested groups if supported by your identity provider
- Document your group naming conventions and structure
- Implement attribute-based access control (ABAC):
- Identify user attributes relevant for access control (department, job role, location, etc.)
- Ensure attributes are correctly maintained in your identity provider
- Map attributes from your identity provider to AWS
- Design IAM policies that use attributes for access decisions
- Test attribute-based policies with sample users
- Configure group-based access control (GBAC):
- Create IAM roles that correspond to your groups
- Define permission sets in AWS IAM Identity Center
- Map groups to roles or permission sets
- Implement least privilege access for each group
- Regularly review group memberships and permissions
- Maintain group and attribute integrity:
- Implement processes for managing group membership
- Automate group assignments based on user attributes where possible
- Establish approval workflows for group membership changes
- Regularly audit group memberships and user attributes
- Implement controls to prevent unauthorized attribute changes
- Implement access governance:
- Conduct regular access reviews for groups
- Document group purpose and access levels
- Implement attestation processes for group memberships
- Monitor for unusual group membership changes
- Generate reports on group usage and membership
- Scale your approach:
- Design for growth in user numbers and complexity
- Implement automation for group management
- Use templates for common access patterns
- Document processes for creating new groups
- Regularly review and optimize your group structure
Implementation examples
Example 1: Attribute-based access control with IAM
Example 2: Group-based access with AWS IAM Identity Center
Example 3: SAML attribute mapping for AWS access
AWS services to consider
Benefits of employing user groups and attributes
- Simplified access management: Manage access for groups of users rather than individuals
- Consistent access control: Apply the same permissions to all users with similar roles
- Reduced administrative overhead: Update permissions for multiple users at once
- Scalable access management: Easily manage access as your organization grows
- Dynamic access control: Use attributes to make access decisions based on user characteristics
- Improved security governance: Easier to audit and review access when organized by groups
- Streamlined onboarding: Quickly grant appropriate access to new users by adding them to groups