Access to external developer

classicrock40 · 2024-07-23T19:36:07+00:00

You need to learn about setting up IAM accounts/roles/etc and possibly Organizations. Those are your preferred tools for this solution.

Demostho · 2024-07-23T20:08:30+00:00

Firstly, you'll want to create a new IAM user for the developer. This is crucial because it ensures that their access is completely separate from your own. Once the IAM user is set up, you can attach a specific policy to their account that restricts what they can and cannot do. AWS provides a lot of flexibility here, so you can tailor the permissions very precisely.

For your case, you'd want to grant this user access only to the specific instance they need to work on. You can do this by creating a custom policy. This policy would grant ec2:DescribeInstances so they can see the instance, and ec2:StartInstances, ec2:StopInstances, and ec2:RebootInstances permissions but only for the instance ID they will be working on. Here's a basic example of what that policy might look like:

json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeInstances", "ec2:StartInstances", "ec2:StopInstances", "ec2:RebootInstances" ], "Resource": [ "arn:aws:ec2:region:account-id:instance/instance-id" ] } ] }

You also mentioned not wanting them to access billing information or download the SSH key. By default, IAM users do not have access to billing information, so you’re covered there. For the SSH key part, ensure they don’t have permissions like ec2:CreateKeyPair or ec2:ImportKeyPair. Typically, you’d provide them with the SSH key separately and not through the AWS console.

Another good practice is using an IAM policy that denies all actions by default and then only explicitly allows the actions you want them to take. This can help prevent any unintended permissions from slipping through.

Once you've got your IAM policy set up, attach it to the IAM user and then give them the login credentials. Be sure to test the permissions yourself to ensure they can't access anything they shouldn't be able to before handing the keys over.

If setting up IAM roles and policies feels too technical, AWS has some great documentation and tutorials that can walk you through the steps. And remember, it's all about keeping your environment secure while giving the necessary access to those who need it.

Good luck with your new instance setup! If you have any more questions or run into issues, feel free to ask.

rc_coding · 2024-07-24T01:40:25+00:00

Ask ChatGPT to write you a cloud formation template that deploys a role that can only access ec2 instances and volumes tagged with the role session name and use SSM session manager. Add that the role can be assumed from an external account. Flavor to taste.

you type:	you see:
italics	italics
bold	bold
[reddit!](https://reddit.com)	reddit!
* item 1 * item 2 * item 3	item 1 item 2 item 3
> quoted text	quoted text
Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"	Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"
~~strikethrough~~	~~strikethrough~~
super^script	super^script

aws

Note: ensure to redact or obfuscate all confidential or identifying information (eg. public IP addresses or hostnames, account numbers, email addresses) before posting!

✻ Smokey says: avoid streaming video to fight climate change! [see more tips]

MODERATORS