Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Amazon Web Services Developer User Permissions

I have an Amazon Web Services account which will be used to host the backed of an app. The backend uses PHP/MySQL and will most likely use an EC2 instance and RDS. I have my own account which has access to everything. I need to create an account for a developer to put the backend on AWS but I don't want them to have access to anything except what they need. I know how to create IAM users and Groups but I don't know which permissions to grant the developer. Under Select Policy Template there is a Power User template, is that good for a developer? Has anyone done this before?

like image 969
Heinrich Avatar asked Jan 12 '15 22:01

Heinrich


People also ask

How do I give a user AWS permission?

Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/ . Choose Users in the navigation pane, choose the name of the user whose permissions you want to modify, and then choose the Permissions tab. Choose Add permissions, and then choose Copy permissions from existing user.

Which AWS service is used to manage users and users permission?

IAM provides fine-grained access control across all of AWS. With IAM, you can control access to services and resources under specific conditions. Use IAM policies to manage permissions for your workforce and systems to ensure least privilege. IAM is offered at no additional charge.

Which AWS service would you use to grant users permissions?

To allow a user to pass a role to an AWS service, you must grant the PassRole permission to the user's IAM user, role, or group. You cannot use the PassRole permission to pass a cross-account role.

How do I manage user access in AWS?

You manage access in AWS by creating policies and attaching them to IAM identities (users, groups of users, or roles) or AWS resources. A policy is an object in AWS that, when associated with an identity or resource, defines their permissions.


1 Answers

The Power User Access template in AWS Identity and Access Management (IAM) grants permission to do ANYTHING except using IAM. A user with this permission can view, create or remove any resources in your AWS account, but they could not create new users or modify any user permissions.

It is recommended that you only give people the least amount of privilege required to use AWS, so that they do not intentional nor accidentally do something unwanted. However, if you do not have enough knowledge of AWS to know what functionality is required, you will most likely need to trust the developer to configure the system for your needs.

A few tips:

  • Only give them access via an IAM User -- never give them your root credentials
  • If you don't know what permissions are required, then "Power User" is at least safer than "Administrator" since they cannot edit IAM settings
  • When they have completed their work, revoke their access so they cannot create any more AWS resources
  • Determine whether you also wish to revoke access to the EC2 instances (you'll have to do this on the instances themselves)
  • You may need to define some roles that will be used with Amazon EC2 -- these are defined in IAM, so the developer will not have permission to create the roles himself
  • Ask the developer for documentation of what he has deployed
  • Turn on Detailed Billing to identify what AWS charges you are receiving and check them against the documentation
  • Turn on CloudTrail to activate auditing of your account (it is activated per-region)

Alternatively, you could do all the AWS configuration (launching an EC2 instance, creating the database) and only let the developer login to the EC2 instance itself. That way, they would not need access to your AWS account.

like image 90
John Rotenstein Avatar answered Oct 20 '22 10:10

John Rotenstein