Security best practices for Resource Groups - Amazon Resource Groups
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Security best practices for Resource Groups

The following best practices are general guidelines and don’t represent a complete security solution. Because these best practices might not be appropriate or sufficient for your environment, treat them as helpful considerations rather than prescriptions.

  • Use the principle of least privilege to grant access to groups. Resource Groups supports resource-level permissions. Grant access to specific groups only as required for specific users. Avoid using asterisks in policy statements that assign permissions to all users or all groups. For more information about least privilege, see Grant Least Privilege in the IAM User Guide.

  • Keep private information out of public fields. The name of a group is treated as service metadata. Group names are not encrypted. Do not put sensitive information in group names. Group descriptions are private.

    Do not put private or sensitive information in tag keys or tag values.

  • Use authorization based on tagging whenever appropriate. Resource Groups supports authorization based on tags. You can tag groups, then update policies that are attached to your IAM principals, such as users and roles, to set their level of access based on the tags that are applied to a group. For more information about how to use authorization based on tags, see Controlling access to Amazon resources using resource tags in the IAM User Guide.

    Many Amazon services support authorization based on tags for their resources. Be aware that tag-based authorization might be configured for member resources in a group. If access to a group's resources is restricted by tags, unauthorized users or groups might not be able to perform actions or automations on those resources. For example, if an Amazon EC2 instance in one of your groups is tagged with a tag key of Confidentiality and a tag value of High, and you are not authorized to run commands on resources tagged Confidentiality:High, actions or automations that you perform on the EC2 instance will fail, even if actions are successful for other resources in the resource group. For more information about which services support tag-based authorization for their resources, see Amazon Services That Work with IAM in the IAM User Guide.

    For more information about developing a tagging strategy for your Amazon resources, see Amazon Tagging Strategies.