For a lifestyle business that's never going to grow into needing enterprise offerings, IAM is overkill. Like K8 would be for HN or other simple web forum.
I disagree. IAM is like having a house with doors that lock. It doesn't matter how big or small your house is, you're going to want the ability to restrict who can go where and do what. It's part of basic security.
If they're not doing that, and their 1 server is talking to AWS resources, it means its using superadmin credentials. If that 1 server is compromised, can you see why that would be a bad idea?
To use the house analogy, it's more like a shed vs a mansion. How many doors are there? How many different keys are there for them, and is there a master key? If you have a shed, there's only going to be one key, for the door. Maaaaaybe a key for the safe inside. If it's an exorbitant mansion with three kitchens and two garages, there's a key for the front door, a key for your bedroom, a key for the safe room, a key to the wine cellar, a key to the garage, a key to the IT closet, a key to the office, a key to the... you get the point.
If it's only ever going to be a shed, there's no need for the infrastructure to support that many keys.
Thanks, that makes sense. What does IAM offer that a stand-alone service like Keybase doesn’t? At what scale of project does it make sense to use one over another?
How do you secure AWS credentials on a compromised machine?
Any solution that you build is going to be more complicated and less secure than IAM. In IAM, your workload/server can have an identity. The software running on the server is issued temporary credentials as needed, and only has access to resources linked to the role. How do you do this without identity and access management? Roll your own because IAM is too crazy?
