3

Is it possible to separate resources (EC2 instances, S3 buckets, etc) by project, and have separate permissions per project?

This way I can give admin permission of project A to user A, and admin permission of project B to user B, but user A nor user B can modify nor access the other one. This is pretty straightforward in Google Cloud Platform and was wondering if it's the same in AWS.

I'm a freelancer with multiple clients. It would be nice if I could log in using my own email and access all customer's resources, but that they can only access their own.

zundi
  • 131
  • 3

3 Answers3

2

It's possible to have these types of permissions, however, there's no way to "hide" resources belonging to one client from another client.

So while client A can sign-in and only interact with their resources, they will still "see" resources from client B.

Also, there is no way for a bill to actually be split. You can see a breakdown of the bill using resource tagging, but there will only be one bill. You will be responsible for paying that bill, and recouping the appropriate costs from your clients.

On the other hand, you can utilize multiple AWS accounts. For example, one for each of your clients.

This has many benefits:

  • The resources are virtually separated
  • Client A cannot see Client B's resources
  • Less funky policy writing
  • The bills can be paid by each of your client's directly

With each AWS account, you can create yourself your own "admin" user so you can manage the account.

Update:

If you are willing to pay the bill, and collect from your clients, then you can make use of AWS "Organizations". All the separated AWS accounts can be collected under an umbrella AWS account.

Matt Houser
  • 10,053
  • 1
  • 28
  • 28
1

Yes, it's easy to do in AWS. It can get a little complex as you sometimes have to write policies, but there are plenty of examples and tutorials around.

Look at the documentation for AWS Identity and Access Management (IAM). This allows you to give specific users access to specific resources at a very fine grained level. You use groups and policies to define who has access to what resources.

IAM Roles allow you when logged into your account to access resources in other accounts. Basically, an account sets up a trust relationship with your account, and you can assume a role to manage that account. It's slightly fiddly but it works fine.

I can't put all the information required in this answer, it's just too long. AWS documentation is excellent, plenty of tutorials.

As an aside, if you're managing multiple customers AWS accounts I suggest you use something like Linux Academy or Cloud Guru to study for at least the AWS Solution Architect Associate exam. All this is covered, and the professional goes even further. The qualification is good, but having the knowledge is key.

Updated Question re Billing

If you want the customer to pay the invoice directly you have to put each customer on their own account. This would typically mean creating an AMI, creating a new instance in the new account, then changing DNS and such.

If you bill the customer on behalf you could use cost allocation tags to work out the billing for each customer.

Tim
  • 31,888
  • 7
  • 52
  • 78
0

Multiple accounts per clients, a Master billing account that also has your IAM Account in it that you switch roles between. And set up an org to manage the IAM users in the other accounts.

https://aws.amazon.com/blogs/aws/new-cross-account-access-in-the-aws-management-console/

https://aws.amazon.com/organizations/

strongjz
  • 832
  • 4
  • 7