Amazon EC2 API Access Control
Question
We are trying to do some development within our EC2 cloud that requires the use of certain API calls (Create/Delete Volume, Start/Stop Instance, etc). After reading Amazon's documentation, I find that while I can share instance-level access with a different AWS account, I have no granular access control with my users created in IAM; if I give them a Destroy right it applies globally.
My question is, how have others dealt with this issue? I'm adverse to giving a global destroy right in our production environment to any software that is under development, and doubly so because these are contract developers. At the same time, I'm also wary of even the production program having those rights globally because it seems to be bad practice and inherently insecure code.
Is there any sort of workaround that people have found?
1 answers
solution1
1 ACCPTED 2012-07-25 19:04:38
Just to clarify. You're trying to control which instances a user can start stop and which volumes a user can create and delete using IAM profiles?
If that is in fact what you're asking then the answer is simple. You cannot make any rules for instances or volumes all of the EC2 commands are global. Depending on how many accounts you want you could create a new account for each of the clients and link them all using Consolidated billing.
If you wanted to control which users had access to which instances / volumes you would need to develop some sort of proxy service that they would use instead of the amazon services. Though that doesn't necessarily guarantee that it will be more secure.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.