Principle of Least Privilege
When a user or a role is created in Kion, by default, the user can only login. They do not have permission to view, modify, or create any new resources. This is by design so that you can grant users appropriate privileges at a granular level.
It's a best practice to only provide users with enough access to perform their job. This is called the principle of least privilege (PoLP). For instance, if a user only needs the ability to modify objects in an S3 bucket, don't allow that user to create or delete S3 buckets. This is widely accepted to be an important practice for data security and continuity of operations.
Kion lets you create and manage objects within cloud providers that allow or deny users to perform certain actions in your cloud provider accounts. Some objects that control user access, such as IAM policies and role definitions, can be defined at very granular levels, so it's important that you understand how to use them safely. Since multiple objects can be applied to the same user or role, we suggest that you break down complex sets of needs into smaller groups of permissions (as a policy or role definition) for easier management across your users.
For instance, if all of your users need access to create, start, stop, and delete EC2 instances in an AWS account, you can create one AWS IAM policy and apply it to all of those users. Then, you can create an additional policy for any users that need more access, like read or write access to S3.
- AWS. For more info on using AWS IAM policies and to view sample policies, see What is an IAM Policy? For information about AWS service control policies (SCPs), see What is an AWS Service Control Policy?
- AWS users also have the option to use attribute-based access control enabled through AWS session tags. For more information, seeAttribute-Based Access Control via Session Tags.
- Azure. For information on Azure role definitions, see What is an Azure Role Definition?
- Google Cloud. for information on Google Cloud IAM roles, see What is a Google Cloud IAM Role?