Had a new hire start today who immediately pinged me to let me know that he was given admin access to his dev #AWS account and he probably shouldn't have that.
Nah man, we just care about good #devex. But how do we do it? 🧵
Nah man, we just care about good #devex. But how do we do it? 🧵
First off, we use AWS Organizations to manage our multi-account environment. Organizations has a feature called Security Control Policies (SCPs) which can limit max permissions for all accounts in your org. We use it to disable regions and services we don't use.
We use another service, Control Tower, to manage these rules and configure accounts when they're first created. Control Tower ensures that all our audit logs go to a central account and we can set up alerting for anomalous behavior. Each account also gets an initial budget.
These three main protections (disabling features at the account level, centralized auditing, and cost alarming) let us know we're protected and we can let the dev team do what they do best without getting in the way.
If this sounds like an environment you'd want to work in and help develop, we're hiring @OrbitalSidekick!
jobs.lever.co/orbitalsidekick
jobs.lever.co/orbitalsidekick
• • •
Missing some Tweet in this thread? You can try to
force a refresh
