| A few suggestion:
- start with a password manager (I will suggest https://1password.com). For any service outside the cloud this should be fine - Where possible enable SSO, even for AWS or other cloud services (https://blog.leapp.cloud/how-to-saml-federate-your-aws-accou...). Here an example on how to do it with GSuite and aws - For all your employees I can advice you Leapp as open-source project (https://github.com/Noovolari/leapp). It solve mayor of the problem listed here: . Responsable for the AWS infrastructure get the IAM Security standard on track (short-lived credentials, MFA, IAM Users secured, rotation of credentials and access to the console with a set of secured credentials, and generation of Azure ceredentials) . temporary tokens are mandatory, so let a project like leapp locally manage IAC credentials for you. - Is not too strictly to manage pipelines only after confirmation? You can create a specific role for managing a specific policy to deploy your pipelines. Here an article on how to start organizing your AWS account as a startup (https://blog.leapp.cloud/aws-multi-account-strategy-explaine...) - "People work on their own devices.": that's why Leapp has been created, check it out. - Optional: "It would be good if developers get credentials to setup small test environments in AWS." how anout creating a sandbox account for them?
- "Bonus: How to manage non-technical secrets" even here, Leapp is a desktop app and is vastly used also for accessing to EC2 instances even for not technical people I hope this guide can help you! |