SEC03-BP01: Define access requirements
Each component or resource of your workload needs to be accessed by administrators, end users, or other components. Have a clear definition of who or what should have access to each component, choose the appropriate identity type and method of authentication and authorization.
Implementation guidance
Defining clear access requirements is the foundation for implementing effective permissions management. By understanding who needs access to what resources and under what conditions, you can implement the principle of least privilege and reduce the risk of unauthorized access.
Key steps for implementing this best practice:
- Identify resources and components:
- Document all resources and components in your workload
- Classify resources based on sensitivity and criticality
- Group related resources that typically share access patterns
- Identify dependencies between resources
- Document resource ownership
- Identify access personas:
- Define administrator personas (e.g., system administrators, security administrators)
- Define end-user personas (e.g., developers, analysts, business users)
- Identify service and application identities
- Document third-party access requirements
- Consider emergency access scenarios
- Define access patterns:
- Determine what actions each persona needs to perform
- Identify when access is needed (e.g., business hours, on-call periods)
- Define where access should be allowed from (e.g., corporate network, specific locations)
- Document access conditions (e.g., MFA requirements, device compliance)
- Consider break-glass procedures for emergency access
- Choose appropriate identity types:
- Select human identity types (e.g., IAM users, federated identities)
- Select machine identity types (e.g., IAM roles, service accounts)
- Determine authentication methods for each identity type
- Define session duration and refresh requirements
- Document identity lifecycle management processes
- Define authorization model:
- Choose between role-based, attribute-based, or resource-based access control
- Define roles or permission sets aligned with job functions
- Establish permission boundaries for different personas
- Document approval workflows for access requests
- Define access review and recertification processes
- Document access requirements:
- Create a formal access requirements document
- Include resource-to-persona mappings
- Document required permissions for each persona
- Define access review frequency
- Establish processes for updating access requirements
Implementation examples
Example 1: Access requirements matrix
Example 2: IAM policy based on access requirements
Example 3: Access requirements documentation template
AWS services to consider
Benefits of defining access requirements
- Improved security posture: Clear access requirements help implement the principle of least privilege
- Simplified permissions management: Well-defined requirements make it easier to create and maintain appropriate permissions
- Reduced risk of unauthorized access: Explicit access conditions help prevent inappropriate access
- Enhanced compliance: Documented access requirements support compliance with regulatory requirements
- Streamlined access reviews: Clear requirements make it easier to review and validate access
- Better operational efficiency: Well-defined access patterns reduce friction for legitimate access needs
- Improved auditability: Documented requirements provide a baseline for access audits