Exerting Fine Grain Control Over Your Cloud Resources

• 399 words

I am thrilled that now both Amazon EC2 and Amazon RDS support resource-level permissions. As customers move increasing amounts of compute and database workloads over to AWS, they have expressed an increased desire for finer grain control over their underlying resources. You can now use these new features to define the permissions your AWS IAM users (and applications) have to perform actions on specific or groups of Amazon EC2 and Amazon RDS resources.

You can apply user-defined tags to your EC2 and RDS resources to help organize resources according to whatever schema is most relevant for a particular organization – be it an application stack, an organization unit, a cost center, or any other schema that might be appropriate. These user-defined tags can already be used to generate detailed chargeback reports that provide a view into the costs associated with these resources. And now these user-defined tags can also be used to create AWS IAM policies to define which users have permissions to use the resources that have certain tags associated with them.

For example, you can mandate that only Senior Database Administrators in your company can modify “production” Amazon RDS DB instances. You do this by first tagging the relevant Amazon RDS DB instance resources as “production” instances, then creating an AWS IAM policy that permits the modify action on these “production” instances, and finally assigning the AWS IAM policy to your group of AWS IAM users who are Senior Database Administrators.

Additionally, you can set policies such as the following:

  • Only certain users can terminate “production” EC2 or RDS instances
  • Only certain EBS volumes can be attached or detached from certain EC2 instances
  • Users can only stop or terminate EC2 instances that are tagged with their username
  • Only certain users can create larger RDS instances (e.g. M2.4Xlarge)
  • Only certain database engines, parameter groups and security groups can be used by users when they create RDS DB instances
  • Only certain users can create RDS instances that are Multi-AZ and PIOPs enabled

Because AWS provides customers with fundamental infrastructure building blocks, there are a wide range of additional policy scenarios that you can support using tools like IAM, tags, and resource-level permission. And our development teams are already hard at work on the next wave of features to extend our support for setting and managing resource-level permissions, so expect even more tools to help control your AWS resources soon.