EC2 Access Control Tags
This document is the reference point for tagging aws ec2 instances access controls. Please refer to Infra-Tagging-Guidance for the necessary context.
Overview
This document defines what it means to be the owner, admin, or user of an ec2 instance.
This is a work in progress! In what follows, we define each role and the use cases of that role.
Owner
| Key | ac:owner |
| Value | Owner role’s id:team tag |
| Example | ace-infra |
| Duties | Dictate who should have access to which control. |
| Allowed Actions | No action (Notation Only) |
| Use Cases | Refer bellow |
| Implications | NA |
Use Cases:
- The data engineering team requests an ec2 instance
Xfor manual data cleaning. The request also mentions that they want to administrate the instance. A few days later, someone from teamArequests to accessXto help them. The infra team should mention the data engineering team and ask if they want teamAto have admin or user access. The issue from teamAonly proceeds if someone from the data engineering team confirms it.
Admin
| Key | ac:admin |
| Value | list of roles’ id:team tags |
| Example | :ace-infra:ace-data-engineering: |
| Duties | Administrate the instance |
| Allowed Actions | StopInstance/StartInstance/TerminateInstance |
| Use Cases | TBD. |
| Implications | NA |
Session Fellow:
- Have access through the and the
acc-ssm-admindocument. - Signed in via
ace-adminuser.
User
| Key | ac:user |
| Value | list of roles’ id:team tags |
| Example | :ace-infra:ace-data-engineering: |
| Duties | Using the instance |
| Allowed Actions | StopInstance/StartInstance |
| Use Cases | TBD. |
| Implications | NA |
Session Fellow:
- Have access through ssm and the
ace-ssm-userdocument. - Signed in as
ace-useruser.
Instance Profiles
The instance profiles should also contain the same tags as the ac:owner team.