Ben Joyce
I’m Ben Joyce, IAM Cloud Leader at Vanguard Group, with about 20 years' experience in platform engineering, operations and cloud security. My focus is building secure, scalable cloud environments that enable innovation while ensuring compliance in highly regulated industries. I work with engineering teams to design IAM strategies that balance security and usability. I’m passionate about solving real-world IT and FinTech challenges — from securing multi-cloud setups to streamlining security processes. Cloud security should enable the business, not block it, and I love building solutions that make security seamless for developers
Session
AWS IAM is getting more and more complex—permissions policies, permission boundaries, session policies, resource-based policies, service control policies, and now the latest buzz: Resource Control Policies (RCPs). Defining security boundaries on paper? That’s the easy part. But rolling them out across hundreds of AWS accounts running critical financial applications—that’s where things get tricky.
At Vanguard, we found a way to keep security tight without slowing things down. Instead of being the impeding team, we focused on making cloud security an enabler, not a blocker. In this talk, we’ll share how we built and deployed SCPs and Resource Control Policies (RCPs) to set security boundaries at scale—without causing downtime for business applications.
While implementing data perimeter controls with layered strategy, we ran into some real-world challenges. Challenges such as Dynamic VPC IDs and corporate CIDR made it tough to keep SCPs up to date, Resource Control Policy does not support global condition key for S3 bucket service, integrating defense-in-depth CI/CD pipeline controls with data perimeter controls and protect identities/resources from being tagged from aws console. Finally, verifying the effectiveness of these controls was non-trivial because of inconsistent access denied patterns.