i use amazon ec2 host web sites , databases.
i have new developer joining me tomorrow. if create iam user, , attach "amazonec2fullaccess - arn:aws:iam::aws:policy/amazonec2fullaccess- provides full access amazon ec2 via aws management console.) policy him,
will able access secrets stored inside linux ec2 instances created in past. basically, policy somehow allow access pre-created linux instances.
edit: if he/ attempts disk recovery procedure? example, mount disk of vm in new ec2 instance
when give amazonec2fullaccess access user able see ec2 instances in aws account. if don't provide him key pre-created ec2 instances able take ami of pre created ec2 instance , launch new key , access instance.
he can disk recovery procedure in mentioned in use case. have of below options.
do not provide amazonec2fullaccess ask him specification needs server , launch ec2 per specification , provide him ssh jailed user access ec2 instance.
set cloud trail can monitor resources created user suspicious activity https://aws.amazon.com/cloudtrail/
third option mentioned developer provide him deployment , git access application running on ec2 instance.
Comments
Post a Comment