Best Practices of

Identity and Access Management

in Public Cloud Services

and Services Comparison

Classic Business Use Cases of IAM

User Groups and Responsibilities

• Root admin: Full access with billing information available
• Admin: Full access (To avoid login with root admin), including IAM
• All: Least privilege (or no permission) for all users
• Dev: View/Run/Start/Stop instances (EC2 or ECS)
• QA: View instances (EC2 or ECS)
• Manager: View instances (EC2 or ECS)
• SysAdmin: Full access to all application services, like EC2 Full Access
• Others (sub groups divided by business domains or levels)

Roles and Responsibilities

• DevEC2, Least privilege for instances to access other application services (S3 bucket) provided by cloud in Dev env 
• QAEC2, Least privilege for instances to access other application services (S3 bucket) provided by cloud in QA env
• StagingEC2, Least privilege for instances to access other application services (S3 bucket) provided by cloud in Staging env
• ProductionEC2, Least privilege for instances to access other application services (S3 bucket) provided by cloud in Production env
• Others

Security Best Practices of IAM

Security Best Practice

• Require a strong password policy for all accounts
• Enable MFA for as many accounts as possible
• Lock away the root account and use "Admin" account instead
• Any team member could have an account under "All" group
• Use conditional policy for extra security (time range, ip range, etc)
• Use user groups
• Use roles
• Regularly review the cloud access log (per account) to keep least privilege

IAM in Huaweicloud vs IAM in AWS

用户

用户组

权限

委托

身份提供商

项目

User

User group

Policy

Role

Identity Provider

X

Huawei Cloud

AWS

==

==

==

==

==