- Newest
- Most votes
- Most comments
Your proposed solution is on the right track in terms of segregating access within a VPC based on user roles, using security groups and subnets. However, there are a few more elegant and scalable approaches provided by AWS to achieve fine-grained access control within your VPC:
-
AWS Identity and Access Management (IAM) Policies https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html
-
AWS VPC Endpoint Policies https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-access.html
-
Security Groups and Network ACLs
-
AWS Resource Access Manager (RAM) RAM allows you to share resources between AWS accounts or within your organization without needing to create duplicate resources. https://aws.amazon.com/it/ram/
-
AWS Systems Manager Session Manager https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager.html
Hi A_J and the experts who reviewed the answer. Thank you so much for your help.
I've found information about Authorization Rules.
What do you think about a solution in which a SAML (as an example Google) or Active Directory provider classifies users in groups according to their roles and then each group is authorized to access artifacts in a subnet by a different authorization rule? I think this solution would be more elegant and also we would only need one VPN client endpoint because it would define as many authorization rules as subnets there are.
Thank you so much
Relevant content
- asked 3 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated a year ago