Limit Amazon AWS Access of Specific EC2/RDS Instances

0
votes

I have an Amazon EC2 instance and a corresponding RDS instance that I want to keep private. I'd like to keep it so that only myself and the sysadmin can access these instances. I don't want to provide access to other developers.

However, one of my developers is working on a project right now where he needs to create/configure his own EC2/RDS instance. I could have my sysadmin perform this work, but I'd rather have the developer do it for the sake of expediency.

Is there any way to configure a group/role/policy in a way that allows me to keep my current instances private from the new developer, but would allow him to create his own EC2 and RDS instances?

2
amazon-web-servicesamazon-ec2amazon-rds
Your instances will be available on internet or will be used in a VPN? The same question for your developers instances: They will be available on internet or will be connected in a VPN?Gustavo Tavares
The instances are available on the internet, but they are hidden behind a firewall, and only certain IP address can access them. The developer's instances will be available on the internet and will not be hidden by a firewall.kml

2 Answers

1
votes

Your question appears to be mixing several security concepts, such as 'private', 'group/role/policy' and 'firewalls'.

An Amazon EC2 instance has several layers of security:

  • First, there is the ability to login to the EC2 instance. This is managed by you, typically by creating users on the instance (in either Linux or Windows) and associating a password or Public/Private. Only people who have login credentials will be able to access the instance.
  • Second, there is the ability to reach the instance. Security Groups control which ports are open from which IP address range. Therefore, you could configure a security group to only make the instance accessible from your own IP address or your own private network. Your instance might also be in a private subnet that has no Internet connectivity. This again restricts access to the instance.

A person can therefore only login to an instance if they have login credentials, if the security group(s) permit access on the protocol being used (RDP or SSH) and if the instance is reachable by the user from the Internet or private network.

Similarly, an Amazon Relational Database Service (RDS) instance is protected by:

  • Login credentials: A master user login is created when the database is launched, but additional users can be added via normal CREATE USER database commands
  • Security Groups: As with EC2 instances, security groups control what ports are open to a particular range of IP addresses
  • Network security: As with EC2 instances, an RDS instance can be placed in a private subnet, which is not accessible from the Internet.

Please note that none of the above controls involve Identity and Access Management (IAM) users/groups/roles/policies, which are used to grant access to AWS services, such as the ability to launch an Amazon EC2 instance or an Amazon RDS instance.

So, the fact that you have existing Amazon EC2 and Amazon RDS instances has no impact on the security of any other instances that you choose to launch. If a user cannot access your existing services, then launching more services will not change that situation.

If you wish to give another person the ability to launch new EC2/RDS instances, you can do this by applying an appropriate policy on their IAM User entity. However, you might want to be careful about how much permission you give them, because you might also be granting them the ability to delete your existing instances, change the master password, create and restore snapshots (thereby potentially accessing your data) and change network configurations (potentially exposing your instances to the Internet).

When granting IAM permissions to somebody, it is recommend that you grant least privilege, which means you should only give them the permissions they need and nothing more. If you are unsure about how much permission to give them or how to configure these permissions, you would be wise to have your System Administrator create the instances on their behalf. That way, you are fully aware of what has been done and you have not potentially exposed your systems.

0
votes

Ok, the best explanation about how things works is in @John Rotestein response. But here a few practical suggestions (that must be considered as an complement to John's response):

  1. You can create separate subnets and give permissions to your developers to run instances in only one of the the subnets using IAM Policies; But your developers still can reach your instance and you must configure so/db/application restrictions.
  2. If your company DO NOT use a shared gateway to the internet, you can define the Network ACL to limit the access to your exclusive network using your IP address. If you use a shared gateway, you will not be able to use this solution;
  3. In the second case, one way to limit the access is put your instance in a private subnet and create a bastion host in your public subnet to be used only by you (this solution must be configured to your RDS instances too). The bastion host will be reachable by your developers, but you can use a specific Key Pair that only you have access. Just keep in mind that your instances and RDS will not be available to the internet;
  4. But I think that the simple solution would be create different VPC's, one for your team and the other for the development team. In this solution you can restrict access to all VPC resources to your developers in the "main" VPC. Off course this also means no internet connection to your instances.