As mentioned, we created our administrator group but we would like to restrict access to that group. Other users should be part of a group with more restrictive permissions. For this, we will take the opposite approach and create groups with minimal permissions and then add permissions through groups to only grant users enough permission to get their job done.
The first thing users need to do is be able to manage their own accounts. We want our users to be able to self-manage certain aspects of their accounts such as passwords, access keys, and MFA devices.
We will first focus on granting sufficient permissions for that.
When using access keys for service to service communication, the general consensus is that you need to be very careful about how you manage them and should not share keys with too many permissions. In addition, it is important to rotate them frequently to reduce the chance that a compromised key could be used against you. Both CloudTrail and Scout2 will monitor the age of your keys and let you know if you have keys that haven't been rotated for over 90 days. CloudTrail also monitors popular code repositories such as GitHub to see if one of your keys has been exposed publicly and used "irregularly" against EC2 for example.