Announcing Coherence 2.0 and CNC, the first open source IaC framework
All posts

AWS IAM Setup for Startups

How to setup a secure and compliant IAM environment with AWS
Zach Zaro
March 20, 2023

As a startup, it's important to ensure that you're implementing proper Identity and Access Management (IAM) practices from day one. IAM is critical in protecting your organization's resources, maintaining compliance with regulations such as SOC2 or HIPAA, and ensuring smooth and efficient user management. Despite its importance, getting IAM right on AWS is routinely a source of confusion and regret for people doing it (even if they’ve done it before). It can be a challenging and time-consuming process, especially if you've already set up manual roles across various services. This blog post will guide you through the ideal setup for startups, helping you achieve a secure, productive, and compliant environment.

IAM is essential for safeguarding your organization's digital assets, controlling who has access to specific resources, and keeping track of user activities. Implementing a robust IAM strategy not only ensures the security and integrity of your systems, but it also helps your startup maintain compliance with industry regulations, such as SOC2 and HIPAA. These compliance programs require that businesses implement strict access control and user management policies to prevent unauthorized access, data breaches, and other security threats. In this guide, we aim to strike a balance between best practices and considerations like setup time, understandability, and familiarity with concepts for startup users. It’s rooted in real-world experience with startup teams at Coherence.

To establish a secure and compliant IAM environment with multiple AWS accounts in an Organization, we recommend the following setup (we also see other startup-focused recommendations in line with this, for example this from SST):

Create an AWS Organization in an otherwise-empty management account: Begin by setting up a central management account for your startup. This account will serve as the foundation for your IAM strategy, allowing you to manage other AWS accounts and resources.

  • AWS Startup Credits added to the management account: Take advantage of AWS Startup Credits like Accelerate to save on initial costs as you build your infrastructure.
  • Consolidated billing enabled: Enable consolidated billing to manage your organization's finances more effectively and streamline your billing process.

Other accounts created via the organization: Use a team-accepted method to generate unique email addresses for each account, such as mailinglist+accountname@startup.com. You won’t actually use the root account to login to these accountes, but AWS requires each account to have a unique email that owns it.

  • You should leave the default OrganizationAccountAccessRole to allow IAM members of the management account to switch roles into the child accounts of the organization, however you won’t often need to use this if you follow the suggestion to use IAM Identity Center below.

The first account that most teams will add is the sandbox account for the dev team: Create a sandbox account where your entire development team can experiment without affecting staging or production environments. Ensure everyone understands that anything within this account can be deleted or broken at any time.

  • Personal sandboxes available as-needed: Although it can be challenging to delete AWS accounts created via an organization, personal sandbox AWS accounts may be provided on a case-by-case basis.

Next, add a staging account for non-production use: Create a staging account for hosting all non-production workloads, with limited write access for the dev team. Consider using tools like Coherence for providing your team hosted production-quality review apps instead of just having one shared staging environment. The other 2 accounts you’ll often create in your organization are:

  • Integrations account for third-party services: Set up an integrations account for third-party services that need AWS resources but not direct access to staging or production environments. An example here might be an ETL tool accessing RedShift or a marketing CMS using S3 for media storage.
  • Production account: This is where you’ll host your production deployments. You should limit access to the production account based on your team's operational needs, ensuring that only authorized users have access to these critical resources.

Use AWS Identity Center: Leverage AWS Identity Center to manage access to the different accounts in your organization. You can use the built-in users/groups functionality to add users to groups, and then attach permission sets to groups using the IAM Identity Center “Assign users or groups” workflow (most teams use the predefined AdministratorAccess permission set, but you can create custom permissions as well). You can also use an SSO source instead of adding users and groups manually in IAM Identity Center.

  • AWS Active Directory is the most integrated source of users - it automatically syncs users and assigns them to groups.
  • GSuite Integration also works, just not as well. If using GSuite, follow the AWS guide to set up GSuite as an external identity provider for AWS SSO. This may require additional software or manual assignment of email addresses to AWS groups.

As you scale, you’ll be well-positioned to import organizational level controls using more complete services such as https://aws.amazon.com/controltower/ as they are needed or you have the bandwidth to operate them.

  • What we’ve seen is that these really become needed as you implement more sandboxes for teams or devs, or integrate with more 3rd parties that you need to segregate into different accounts
  • Don’t recommend using this service to manage per-tenant deployments for customers into segregated accounts, that should be automated with distinct infra-as-code (or use something like Coherence) to be flexible to different customer requirements for account setup/settings

Establishing a secure and compliant IAM setup on AWS for your startup is essential in today's digital landscape. By following the guidelines provided in this blog post, you'll be well on your way to achieving a robust IAM strategy that not only protects your organization's resources but also ensures adherence to industry regulations. Remember, getting IAM right from the beginning can save you time and resources in the long run, and help you avoid the pitfalls of manual role management.