0

I know it might sound like a basic question but I haven't figured out what to do.

We're working on having a testing environment for screening candidates for Cloud Engineer and BigData interviews.

We are looking into creating on demand AWS environments probably using Cloudformation service and test if the user is able to perform specific tasks in the environment like creating s3 buckets, assigning roles, creating security groups etc using boto3.

But once the screening is finished, we want to automatically tear down the entire setup that has been created earlier.

There could be multiple candidates taking the test at same time. We want to create the environments (which might contain ec2 instances, s3 buckets etc which are not visible to other users) and tear down them once the tests are finished.

We thought of creating IAM users for every candidate dynamically using an IAM role and create a stack automatically and delete those users once the test is finished.

However, I think the users will be able to see the resources created by other users which is not what we are expecting.

Is there any other better approach that we can use for creating these environments or labs and deleting them for users? something like ITversity and Qwiklabs.

The logged in user should have access to and view the resources created only for him.

Please suggest.

Query1: Let's say I have created 10 IAM roles using and one user using each of those roles. Will the user in created from IAM role 1 be able to see the VPCs or EC2 instances or S3 or any other resources created by another user which is created by IAM role 2?

Will the resources be completely isolated from one IAM role to another?

Or does service like AWS Organizations be much helpful in this case?

Underoos
  • 4,708
  • 8
  • 42
  • 85

3 Answers3

1

I would recommend looking at Scenario 3 in the following AWS document:

Setting Up Multiuser Environments in the AWS Cloud (for Classroom Training and Research)

It references a "students" environment, however it should suite an interview-candidate testing needs.

The “Separate AWS Account for Each User” scenario with optional consolidated billing provides an excellent environment for users who need a completely separate account environment, such as researchers or graduate students. It is similar to the “Limited User Access to AWS Management Console” scenario, except that each IAM user is created in a separate AWS account, eliminating the risk of users affecting each other’s services. As an example, consider a research lab with 10 graduate students. The administrator creates one paying AWS account, 10 linked student AWS accounts, and 1 restricted IAM user per linked account. The administrator provisions separate AWS accounts for each user and links the accounts to the paying AWS account. Within each account, the administrator creates an IAM user and applies access control policies. Users receive access to an IAM user within their AWS account. They can log into the AWS Management Console to launch and access different AWS services, subject to the access control policy applied to their account. Students don’t see resources provisioned by other students. One key advantage of this scenario is the ability for a student to continue using the account after the completion of the course. For example, if students use AWS resources as part of a startup course, they can continue to use what they have built on AWS after the semester is over.

https://d1.awsstatic.com/whitepapers/aws-setting-up-multiuser-environments-education.pdf

Paul Dawson
  • 1,332
  • 14
  • 27
  • The `pdf` source looks helpful. But by looking at the date created of that document, it looks like it is outdated `October 2013`. Does it still work or is there any new version that I can look at? – Underoos Dec 25 '19 at 14:25
1

The Qwiklabs environment works as follows:

  • A pool of AWS accounts is maintained
  • When a student starts a lab, one of these accounts is allocated to the lab/student
  • A CloudFormation template is launched to provision initial resources
  • A student login (either via IAM User or Federated Login) is provisioned and is assigned a limited set of permissions
  • At the conclusion of the lab, the student login is removed, a "reaper" deletes resources in the account and the CloudFormation stack is deleted

The "reaper" is a series of scripts that recursively go through each service in each region and deletes resources that were created during the lab. A similar capability can be obtained with rebuy-de/aws-nuke: Nuke a whole AWS account and delete all its resources.

You could attempt to create such an environment yourself.

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
  • Updated question with new query. Please suggest. – Underoos Dec 25 '19 at 06:16
  • Users in the same account will see any resources in the account for which they have permission. If you give them EC2 permissions, then they will see _all_ EC2 instances. Resources are owned by the _Account_, not the User that created them. You could separate students by region and only give them permissions for "their" particular region, which would avoid potential clashes. Then, you'd have to use the reaper on one region at a time. – John Rotenstein Dec 25 '19 at 09:37
  • I guess AWS organisations would be much better to use and manage like assigning an organisation to a user for a session and reap the resources after the session ends. What do you suggest. – Underoos Dec 25 '19 at 09:39
  • You would want to temporarily assign an _Account_ to them. That way, all the resources they can create/impact are isolated from anything else. I'm not sure how that would map to AWS Organizations. – John Rotenstein Dec 25 '19 at 09:42
0

However, I think the users will be able to see the resources created by other users which is not what we are expecting.

AWS resources are visible to their owners and to those, with whom they are shared by the owner.
New IAM users should not see any AWS resources at all.

nickolay.laptev
  • 2,253
  • 1
  • 21
  • 31