Principle of Least Privilege


Principle of Least Privilege

When a user or a role is created in Kion, by default, the user can only login. They do not have permission to view, modify, or create any new resources. This is by design so that you can grant users appropriate privileges at a granular level.

It's a best practice to only provide users with enough access to perform their job. This is called the principle of least privilege (PoLP). For instance, if a user only needs the ability to modify objects in an S3 bucket, don't allow that user to create or delete S3 buckets. This is widely accepted to be an important practice for data security and continuity of operations.

Kion lets you create and manage objects within cloud providers that allow or deny users to perform certain actions in your cloud provider accounts. Some objects that control user access, such as IAM policies and role definitions, can be defined at very granular levels, so it's important that you understand how to use them safely. Since multiple objects can be applied to the same user or role, we suggest that you break down complex sets of needs into smaller groups of permissions (as a policy or role definition) for easier management across your users.

For instance, if all of your users need access to create, start, stop, and delete EC2 instances in an AWS account, you can create one AWS IAM policy and apply it to all of those users. Then, you can create an additional policy for any users that need more access, like read or write access to S3.


Was this article helpful?
0 out of 0 found this helpful