I have an
Amazon Web Services account which will be used to host the backed of an app. The backend uses
PHP/MySQL and will most likely use an
EC2 instance and
RDS. I have my own account which has access to everything. I need to create an account for a developer to put the backend on AWS but I don’t want them to have access to anything except what they need. I know how to create
IAM users and Groups but I don’t know which permissions to grant the developer. Under
Select Policy Template there is a
Power User template, is that good for a developer? Has anyone done this before?
The Power User Access template in AWS Identity and Access Management (IAM) grants permission to do ANYTHING except using IAM. A user with this permission can view, create or remove any resources in your AWS account, but they could not create new users or modify any user permissions.
It is recommended that you only give people the least amount of privilege required to use AWS, so that they do not intentional nor accidentally do something unwanted. However, if you do not have enough knowledge of AWS to know what functionality is required, you will most likely need to trust the developer to configure the system for your needs.
A few tips:
- Only give them access via an IAM User — never give them your root credentials
- If you don’t know what permissions are required, then “Power User” is at least safer than “Administrator” since they cannot edit IAM settings
- When they have completed their work, revoke their access so they cannot create any more AWS resources
- Determine whether you also wish to revoke access to the EC2 instances (you’ll have to do this on the instances themselves)
- You may need to define some
rolesthat will be used with Amazon EC2 — these are defined in IAM, so the developer will not have permission to create the roles himself
- Ask the developer for documentation of what he has deployed
- Turn on Detailed Billing to identify what AWS charges you are receiving and check them against the documentation
- Turn on CloudTrail to activate auditing of your account (it is activated per-region)
Alternatively, you could do all the AWS configuration (launching an EC2 instance, creating the database) and only let the developer login to the EC2 instance itself. That way, they would not need access to your AWS account.