What level of permissions should my developer need in AWS?

Question

I'm hiring a developer to create a project for me. He asked me to create an AWS Lambda account so that he could create the application.

I created a user with access to the full AWS Lambda policy but that wasn't sufficient, eventually, I assigned the user the default SystemAdministrator policy. But he's saying that isn't enough. He wants to be able to create Roles and now he's asking for Root Access or my AWS owner login.

Does that sound right? Does he need that level of access to develop a project?

Answer 1

He is correct that the SystemAdministrator policy lacks the rights to create IAM roles, which are going to be needed for Lambda. You should never give root access or your login credentials to anyone. You could assign his user the AdministratorAccess policy which allows any action to be taken. Without knowing the full details of exactly what needs done it's hard to recommend more restrictive permissions, but the least amount of privilege needed is always recommended.

Answer 2

This highly depends on what he is supposed to do and in the end is more a question of trust and budget.

You should have several AWS Accounts connected together with AWS Organizations.

So having a production account and a developer account and capping the monthly budget on the developer account to not come to work on a Monday noticing a developer spawned 1000 big EC2 instances on Friday evening and left the office for weekend without shutting them down again.

When it comes to trust i prefer least needed privileges. There should be no need to grant access to the production account at all since all deployments - even infrastructure deployments - should be reviewed, automated and monitored by the people responsible for running the service (DevOps, Admins, SREs, whatever you call the guys that wake up at night to fix your services). So all development should be done on the developer AWS account and after being well tested deployed in production.