There are several "accounts" in an AWS OU in my organization to isolate service utilization, billing, etc. But, these accounts don't necessarily provide any restrictions w.r.t the number of resources a user ( say in an Active Directory environment ) can use.
I am just wondering if there are any provisions in place for AWS to be able to restrict a specific user to not consume more than the allotted 'quota'?
I am a novice in the AWS area, please excuse me if there is any ambiguity in my question.
Not that I can think of.
If you really want to do this (restrict number of resources per user), you can create one account per user and restrict their rights so that they cannot request quota increase. This may not be a practical solution.
AWS does not associate resources with users.
When a user makes a request to create a resource (eg an Amazon EC2 instance), IAM will confirm that they are entitled to create the resource. If so, then the resource is created in the AWS Account associated with that user. There is no connection made between that resource and the user (aside from an entry in CloudTrail that records the creation request).
Related
I have an AWS account. There are multiple users being managed by IaM service.
Each user has access key and is at liberty to perform various actions such as files upload.
Is there any means to monitor cloud costs and usage by user?
I utilize cost explorer AWS service and intend filtering and grouping costs/usages by user. Unfortunately haven't come up with any way to nail it in the most graceful way.
One common way to do this is to use Cost Allocation Tags.
You can define these tags and enforce them, e.g. using AWS Config and/or tag policies.
AWS does not track costs by user.
When an IAM User makes a request to AWS to create resources (eg an EC2 instance or an RDS database), the user's permissions are checked to confirm that they are permitted to make that API call. If they are permitted, then the API call is allowed and the resources are created.
Resources created in an AWS Account are owned by the AWS Account, not an individual user. Thus, there is no relationship between resources and the credentials used to create the resource.
The closest link between users and resources would be the audit trail of API calls kept by AWS CloudTrail. CloudTrail stores information about the API call and the user that made the call, but it does not directly link to the resources that were created. This would take some effort to back-trace resources to users.
Typically, cost management is done by tagging resources. Such tags would identify cost centers or project codes that can be used to charge-back the cost of systems. Enforcing tagging is difficult. Only some services allow tagging to be enforced when services are launched. For others, it would be a matter of identifying resources that do not meet tagging requirements. See: Using AWS Config Rules to Manage Resource Tag Compliance | Sumo Logic
You can monitor every IAM user action through cloud trails logs. So you could imagine a solution based on those logs to calculate the cost of all actions from one IAM user
I allways recomend to have an account per user type or subscription type in your system (free or premium for exmaple). Depending on the user who use your services, you will login that use with this account. Then, using the AWS Cost Categories, you can to see the cost by users type, and then, knowing your number of users for each tipe or subscription you could know your price per user.
I know it might sound like a basic question but I haven't figured out what to do.
We're working on having a testing environment for screening candidates for Cloud Engineer and BigData interviews.
We are looking into creating on demand AWS environments probably using Cloudformation service and test if the user is able to perform specific tasks in the environment like creating s3 buckets, assigning roles, creating security groups etc using boto3.
But once the screening is finished, we want to automatically tear down the entire setup that has been created earlier.
There could be multiple candidates taking the test at same time. We want to create the environments (which might contain ec2 instances, s3 buckets etc which are not visible to other users) and tear down them once the tests are finished.
We thought of creating IAM users for every candidate dynamically using an IAM role and create a stack automatically and delete those users once the test is finished.
However, I think the users will be able to see the resources created by other users which is not what we are expecting.
Is there any other better approach that we can use for creating these environments or labs and deleting them for users? something like ITversity and Qwiklabs.
The logged in user should have access to and view the resources created only for him.
Please suggest.
Query1:
Let's say I have created 10 IAM roles using and one user using each of those roles. Will the user in created from IAM role 1 be able to see the VPCs or EC2 instances or S3 or any other resources created by another user which is created by IAM role 2?
Will the resources be completely isolated from one IAM role to another?
Or does service like AWS Organizations be much helpful in this case?
The Qwiklabs environment works as follows:
A pool of AWS accounts is maintained
When a student starts a lab, one of these accounts is allocated to the lab/student
A CloudFormation template is launched to provision initial resources
A student login (either via IAM User or Federated Login) is provisioned and is assigned a limited set of permissions
At the conclusion of the lab, the student login is removed, a "reaper" deletes resources in the account and the CloudFormation stack is deleted
The "reaper" is a series of scripts that recursively go through each service in each region and deletes resources that were created during the lab. A similar capability can be obtained with rebuy-de/aws-nuke: Nuke a whole AWS account and delete all its resources.
You could attempt to create such an environment yourself.
I would recommend looking at Scenario 3 in the following AWS document:
Setting Up Multiuser Environments in the AWS Cloud
(for Classroom Training and Research)
It references a "students" environment, however it should suite an interview-candidate testing needs.
The “Separate AWS Account for Each User” scenario with optional consolidated billing provides an excellent
environment for users who need a completely separate account environment, such as researchers or graduate students.
It is similar to the “Limited User Access to AWS Management Console” scenario, except that each IAM user is created in
a separate AWS account, eliminating the risk of users affecting each other’s services.
As an example, consider a research lab with 10 graduate students. The administrator creates one paying AWS account,
10 linked student AWS accounts, and 1 restricted IAM user per linked account. The administrator provisions separate
AWS accounts for each user and links the accounts to the paying AWS account. Within each account, the administrator
creates an IAM user and applies access control policies. Users receive access to an IAM user within their AWS account.
They can log into the AWS Management Console to launch and access different AWS services, subject to the access
control policy applied to their account. Students don’t see resources provisioned by other students.
One key advantage of this scenario is the ability for a student to continue using the account after the completion of the
course. For example, if students use AWS resources as part of a startup course, they can continue to use what they have
built on AWS after the semester is over.
https://d1.awsstatic.com/whitepapers/aws-setting-up-multiuser-environments-education.pdf
However, I think the users will be able to see the resources created by other users which is not what we are expecting.
AWS resources are visible to their owners and to those, with whom they are shared by the owner.
New IAM users should not see any AWS resources at all.
I am wanting to share a Lambda Layer with someone and by doing so I will give them it's ARN which will contain my AWS accounts 12 digit ID.
Is there any risk associated with this?
I'm assuming you trust the party you're sharing the Lamda ARN with.
The risk of sharing your account ID is limited to what permissions you have granted for services.
The AWS Account Identifiers documentation states that:
The AWS account ID is a 12-digit number, such as 123456789012, that you use to construct Amazon Resource Names (ARNs). When you refer to resources, such as an IAM user or an Glacier vault, the account ID distinguishes your resources from resources in other AWS accounts.
Someone you've shared the account ID with could manipulate ARN's but without permission to access that resource there is no issue.
Bottom line, if you have tight controls that limit external access to resources (in your case the Lambda layer) you should be fine.
While it is generally not recommended to publish your Account ID (eg in StackOverflow questions), it is not terrible if other people know it.
The security of your AWS services is tied to credentials, not the account ID.
Knowing your account ID simply makes it easier for attacks to attempt to probe your account, especially if they know some of the services you are using. For example, they could look for publicly accessible Amazon SQS queues, knowing that they belong to your account.
If you are intentionally working with other people who wish to tie-in to your account, you can certainly share the ARN.
We have large number of IAM users ( in hundreds, can increase more then 1000 in future ).
All the IAM users have access to create EC2 instances. Simultaneously around 30-40 users will be working and creating EC2 instances.
In AWS Management Console, an IAM user can see all the instances created by other IAM users as well.Is it possible to visibly make him see only those EC2 instances which he created and hide all the other instances created by other IAM users?
I do agree that IAM users can give names and tags to recognise their instances. However i am looking for visibly hiding those resources which he has not created.
If IAM policies allowed specifying a required filter, this would be possible. But you can't specify it, so it's not possible.
What you want is called Organizations - You can give each group their own AWS account, so they can see their own billing, etc.
Reserved Instances can flow from the master account to sub account
Bills flow from the sub accounts to the master account
All your users can remain in the master account, you just give them AssumeRole capabilities to view their account.
You can apply Service Control Policies that prevent sub-accounts from doing things.
You may think management is "easier" with one account - but the opposite is true. Just like you should treat servers as "Cattle not Pets" (i.e. they are disposable), you should think of AWS accounts as disposable. Some organizations give each developer their own AWS account, and only a build server can modify the Staging/Prod accounts via TerraForm or CloudFormation.
What you would typically use for this is resource level permissions. What resources / what you can control varies from API call to API call in AWS. In particular, what you would want is a resource-level permission on the DescribeInstances API call. Unfortunately, AWS does not currently support resource-level permissions on this API Call.
In brief
We need to view AWS cost for resources created by a specific IAM user via aws:createdBy tag.
In full
My google search is not helpful - it gives me one idea to use Consolidated Billing for Organizations to have the view of cost-by-user billing but that requires to create separate AWS users, which again requires credit card.
Another solution I found is that we can view AWS cost by tag grouping via Cost Explorer report though we cannot find the mentioned tag createdBy as stated in that AWS guide?
The ideal solution should let us create as many IAM users as the number of projects may grow i.e. one IAM user per project; and then, give us the report of AWS cost for each of those users.
So, how can we get to it?
Costs are not incurred by IAM Users. The AWS Account owning the resource incurs the charge.
When an IAM User makes a request to AWS, their credentials are verified to ensure that they are the authorized person and their permissions are checked to confirm that they have permission to perform the operation. However, there is no further relationship between the person making the request and the resource that is created.
The closest connection is the audit log created by AWS CloudTrail that can show which user made each request. But this is not related to billing information.
If you wish to track costs, you should associate tags with resources. These tags could be based on department, cost center, person, etc. You can then configure your Detailed Billing Report to provide cost breakdowns by tag.
You could use a more concise solution systematically using your own tags by setting up Lambda, CloudWatch, CloudTrail, and SSM to achieve it.
Here are some references:
Automatically tag new AWS resources based on identity or role
GitHub - resource auto tag