As a small startup, we give our entire development team full access to our AWS accounts - we want as little as possible overhead to develop, deploy and support our services. However, then storing those credentials on developer machines can be a big security risk.
I've recently come across AWS Vault, and it seems to solve the problem in a very nice way:
* You give very limited access to users by default.
* Each user can "AssumeRole" into an Admin role (or more specific role), with mandatory MFA, to perform changes to infrastructure.
* All other tools only ever have access to temporary credentials, never to your permanent credentials.
All of this can be done with the standard AWS cli, but AWS Vault seems to give very nice tooling around it.
I've recently come across AWS Vault, and it seems to solve the problem in a very nice way: * You give very limited access to users by default. * Each user can "AssumeRole" into an Admin role (or more specific role), with mandatory MFA, to perform changes to infrastructure. * All other tools only ever have access to temporary credentials, never to your permanent credentials.
All of this can be done with the standard AWS cli, but AWS Vault seems to give very nice tooling around it.