1

I need to set up EC2, RDS, and S3 on AWS for a project. The client wants the account to be in their name and they dont want to share their credentials (understandable). My goal is to give my client instructions on how to grant me access to create the services (EC2, RDS, S3) and then work with them.

I'm reading the documentation for IAM but I'm getting a little lost. While creating a new user, I see the permissions list with 100+ preconfigured roles in there but I dont know what roles I need. I see Network Administrator, and other ones like AmazonEC2FullAccess and those seem promising. I'm hesitant because I dont want to go back and forth with the client, guessing which roles I need. I want it to be one-and-done.

What are the instructions to grant a user access to create new services and work with them?

Jeff
  • 335
  • 2
  • 4
  • 13

2 Answers2

2

Here's a quick outline

  1. Have the client go into IAM and select create group, then give it a name.

Create AWS IAM group

  • Give them a list of policies to assign to the group. I suggest the following based on your question

  • AmazonS3FullAccess

  • AmazonEC2FullAccess
  • AmazonRDSFullAccess

Create IAM Group

  1. Have them create a user and assign them to the group

Create IAM User Assign IAM User to Group Confirm create IAM user

The customer can change the policies associated with the group at any time, removing access completely or limiting access to specific instances.

The customer should also go into each user and ensure MFA is required to log in - you'll probably have to be there for that part. Just hit the pencil beside "Assigned MFA device". They should also generate access keys for you - though I haven't done it in a while, maybe you're best given access to do that yourself.

IAM Require MFA

Tim
  • 31,888
  • 7
  • 52
  • 78
  • This is fantastic - above and beyond what I was expecting. I'm going to give you a bounty as long as I remember to come back in 2 days! – Jeff Jan 26 '17 at 19:46
0

federated user concept can be used in this scenario. The account owner has to authenticate you using something like OpenID and give your federated-user the necessary rights so that you can have access to his ressources.

no credentials will be shared, your account will gain temporary security tokens in the background.

Or an easier way would be using IAM, the account owner will create a group and attach policies (to limit access with ec2, rds and s3) to that group. then he will create a AIM user for you and add this user to the group.

you will be able to log in and have limited access, which is defined in the policy.

lauc.exon.nod
  • 1,069
  • 8
  • 5