OneLogin, LDAP, IAM Groups, GitHub, or even Mattermost should define the level of access granted to a person. We want to minimize the number of steps required to onboard or offboard new team members and don’t want to have to grant or revoke access service-by-service.
For example, new machines in AWS should be created without a keypair and use Vault+OneLogin to control SSH access.
It should be possible to remove a person’s access to resources without disrupting operations or others’ access.
For example, each service that requires an AWS access token should use its own instead of sharing a token with other services or employees.
If a service doesn’t require access to a given resource, it shouldn’t have access to that resource.
Usually this means everything you do should be reviewed and committed as code to a repo. The only thing you should have to do manually to deploy is
aws cloudformation deploy,
kubectl apply, etc.
If there’s a good reason you can’t define everything as code, create thorough step-by-step documentation of everything you do.