In my job, we are in the process of migrating to AWS services. I belong to a data science team that recently received an EC2 instance for use as a development/production server. However, we encountered an issue where our team was provided only one EC2 role, resulting in all team members using the same "identity" and having the same permissions. Currently, we can only interact with AWS services through the CLI using this role, and I believe this to be a poor practice.
I would like to raise a request with the security and cloud operations teams to change the current setup to the following ideal scenario:
In my ideal scenario, each team member would have an individual IAM role, allowing us to have finer control over interactions and granting different permissions based on the functions of each person in our team. Additionally, I suggest granting one user on our team (our server admin) all the permissions currently associated with the EC2 role, such as deleting tables or other potentially dangerous actions. Moreover, this user would have the privilege to create other IAM users with either the same or lower permissions. This would enable us to control the internal workflow efficiently without the unnecessary overhead of raising petitions to the security ops team. Another advantage of this approach is that it would grant us access to the GUI web platform of Amazon services (Amazon Console), which would provide an alternative to using only the CLI for certain interactions with the available services.
With this in mind, I have the following questions:
- Is the scenario I am proposing viable and doable, or would it be considered a bad idea?
- If it is viable, how difficult would it be to implement?
- Is it possible to grant one user the ability to create other users with the same or lower permissions? Any advice or insights would be greatly appreciated.
Thank you!
