SEC03-BP06: Manage access based on lifecycle

Integrate access controls with operator and application lifecycle and your centralized federation provider. For example, remove a user's access when they leave the organization or change roles.

Implementation guidance

Managing access based on lifecycle ensures that permissions are granted, modified, and revoked in alignment with changes in user roles, employment status, and application requirements. This approach helps maintain security by ensuring that access rights remain appropriate throughout the entire lifecycle of identities and resources.

Key steps for implementing this best practice:

1. Define lifecycle stages:
   • Map out user lifecycle stages (onboarding, role changes, offboarding)
   • Identify application and service lifecycle phases
   • Define access requirements for each lifecycle stage
   • Document approval processes for lifecycle transitions
   • Establish timelines for access provisioning and deprovisioning
2. Implement automated provisioning:
   • Integrate with HR systems for user lifecycle events
   • Automate account creation and initial access provisioning
   • Use identity providers for centralized user management
   • Implement just-in-time (JIT) access provisioning
   • Create templates for common access patterns
3. Establish role-based access management:
   • Define roles based on job functions and responsibilities
   • Map users to roles based on their current position
   • Implement automatic role assignment based on attributes
   • Create approval workflows for role changes
   • Document role definitions and associated permissions
4. Implement automated deprovisioning:
   • Automate access removal when users leave the organization
   • Implement immediate access suspension for terminated employees
   • Create processes for transferring access during role changes
   • Establish retention policies for user accounts and data
   • Implement automated cleanup of unused accounts
5. Monitor and audit lifecycle events:
   • Track all access provisioning and deprovisioning events
   • Monitor for orphaned accounts and unused access
   • Implement regular access reviews and certifications
   • Generate reports on lifecycle management effectiveness
   • Set up alerts for unusual lifecycle activities
6. Handle exceptions and emergency scenarios:
   • Define processes for emergency access provisioning
   • Establish procedures for handling lifecycle exceptions
   • Create temporary access mechanisms for contractors and vendors
   • Implement break-glass procedures for critical situations
   • Document and audit all exception cases

Implementation examples

Example 1: Automated user lifecycle management with AWS IAM Identity Center

Code snippet hidden for website display

Example 2: Lambda function for automated lifecycle management

Code snippet hidden for website display

Example 3: Lifecycle management workflow with AWS Step Functions

Code snippet hidden for website display

AWS services to consider

AWS IAM Identity Center

Helps you securely create or connect your workforce identities and manage their access centrally across AWS accounts and applications. Provides APIs for automated lifecycle management.

AWS Identity and Access Management (IAM)

Enables you to manage access to AWS services and resources securely. Use IAM for managing service accounts and application identities throughout their lifecycle.

AWS Lambda

Lets you run code without provisioning or managing servers. Use Lambda functions to automate lifecycle management processes and integrate with external systems.

AWS Step Functions

Coordinates multiple AWS services into serverless workflows. Use Step Functions to orchestrate complex lifecycle management processes.

Amazon EventBridge

A serverless event bus that makes it easy to connect applications together. Use EventBridge to trigger lifecycle management workflows based on events from HR systems or other sources.

AWS CloudTrail

Records API calls for your account and delivers log files to you. Use CloudTrail to audit and monitor lifecycle management activities.

Benefits of managing access based on lifecycle

• Enhanced security: Ensures access is appropriate for current roles and employment status
• Reduced risk: Minimizes the risk of unauthorized access from former employees or changed roles
• Improved compliance: Supports regulatory requirements for access management and auditing
• Operational efficiency: Automates routine access management tasks
• Better visibility: Provides clear audit trails for access changes
• Consistent processes: Ensures standardized handling of lifecycle events
• Reduced administrative overhead: Minimizes manual intervention in access management

Related resources

Related Resources

• AWS Well-Architected Framework - Manage access based on lifecycle
• AWS IAM Identity Center User Guide
• Automatic provisioning in AWS IAM Identity Center
• Managing IAM users
• How to automate user lifecycle management in AWS IAM Identity Center
• How to create a break-glass admin role for emergency access to your AWS environment