3

I use Amazon EC2 to host some web sites and databases.

I have a new developer joining me tomorrow. If I create an IAM User, and attach the "AmazonEC2FullAccess - arn:aws:iam::aws:policy/AmazonEC2FullAccess- Provides full access to Amazon EC2 via the AWS Management Console.) policy to him,

will he be able to access secrets stored inside the linux ec2 instances created in the past. Basically, does this policy somehow allow access to pre-created linux instances.

EDIT: what if he/ she attempts a disk recovery procedure? for example, mount the disk of a vm in a new ec2 instance

american-ninja-warrior
  • 7,397
  • 11
  • 46
  • 80

2 Answers2

6

When you give AmazonEC2FullAccess access to the user he will be able to see all the EC2 instances in the AWS account. Even if you don't provide him the key to pre-created EC2 instances he will be able to take AMI of the pre created EC2 instance and launch it with a new key and get access to that instance.

He can also do disk recovery procedure as in you mentioned in your use case. So you have some of the below options.

  1. Do not provide AmazonEC2FullAccess ask him what specification he needs for the server and launch the EC2 as per the specification and provide him ssh jailed user access to that EC2 instance.

  2. Set up cloud trail so that you can monitor the resources created by that user for any suspicious activity https://aws.amazon.com/cloudtrail/

  3. Third option is as you mentioned he is developer just provide him deployment and git access to the application running on the EC2 instance.

Piyush Patil
  • 14,512
  • 6
  • 35
  • 54
0

The IAM role only gives someone access to the AWS EC2 API, where you can do things like create new instances, shutdown existing instances, etc. This does not give someone access to login to any EC2 servers. For that you would need to give someone the SSH key (for Linux) or password (for Windows) that was setup when the server was created.

Mark B
  • 183,023
  • 24
  • 297
  • 295