Determining IaC ownership – a tag-based approach

Summary

Determining the owner of an NHI is extremely important when managing identities in your organization. If the organization encounters an NHI-related incident, knowing which human is responsible can be a great shortcut on the journey to remediation.Creating NHI ownership in your friendly neighborhood cloud provider is not always easy, but it is pretty straightforward. When a human directly creates or modifies an identity, you can find the relevant event in the logs and see who is responsible. But does this apply to IaC-generated identities as well?IaC ownershipThe technical challenge of identifying ownership for NHIs created by IaC is much harder since the basic question of who is the owner of an IaC resource is much harder.Let's start small:A DevOps engineer deploying IaC to create danz_role‍IntroductionInfrastructure as Code (IaC) is a major tool for creating scalable environments in the cloud. With a single command, you can create hundreds of accounts, servers, policies, and identities. It is a tough task to monitor identities, especially non-human identities (NHIs), but IaC-generated identities make it even harder.Most IaC setups include several platforms, making the management process decentralized and shared across multiple technologies. On top of that, IaC-managed environments change much faster, making it harder for security teams to keep up with the pace.The basic question to be answered when dealing with NHIs is: Who is the owner of an identity? This question is especially tough to answer when the creator is an automated process triggered by commits or deployments.We tried to answer this question in different ways, one of which was a tag-based approach. In this blog post, I’ll be sharing the challenges in the journey to master this approach, but first, let’s talk about ownership.IaC OwnershipOwnershipDirect Role CreationI am a developer at a small company, and I requested my DevOps team (kindly) to create a few resources, including a role. I have a simple Te...