IAM Roles and Permissions in AWS for data science team



In my job, we are in the process of migrating to AWS services. I belong to a data science team that recently received an EC2 instance for use as a development/production server. However, we encountered an issue where our team was provided only one EC2 role, resulting in all team members using the same "identity" and having the same permissions. Currently, we can only interact with AWS services through the CLI using this role, and I believe this to be a poor practice.

I would like to raise a request with the security and cloud operations teams to change the current setup to the following ideal scenario:

In my ideal scenario, each team member would have an individual IAM role, allowing us to have finer control over interactions and granting different permissions based on the functions of each person in our team. Additionally, I suggest granting one user on our team (our server admin) all the permissions currently associated with the EC2 role, such as deleting tables or other potentially dangerous actions. Moreover, this user would have the privilege to create other IAM users with either the same or lower permissions. This would enable us to control the internal workflow efficiently without the unnecessary overhead of raising petitions to the security ops team. Another advantage of this approach is that it would grant us access to the GUI web platform of Amazon services (Amazon Console), which would provide an alternative to using only the CLI for certain interactions.

With this in mind, I have the following questions:

  • Is the scenario I am proposing viable and doable, or would it be considered a bad idea?
  • If it is viable, how difficult would it be to implement?
  • Is it possible to grant one user the ability to create other users with the same or lower permissions? Any advice or insights would be greatly appreciated.

Thank you!

1 Answer

This is a big topic and one that is difficult to fully address in one answer.

Using lots of roles isn't a good approach. You should not create individual roles. As the name indicates, a role represents a function, think of a role as "Finance User", or "IT User" - you would not make a role for each person in IT - that does not scale.

The concept of a role is analogous to a job function.

A role can have one more permission policies associated with it - and policies can be used in more than one role.

We would discourage the use of IAM Users - in preference to temporary credentials. In practice this is sometimes not easy to do. What would make more sense would be to use SSO from the AWS Identity Center - and use an IDP you probably already have in your company (Active Directory etc...) to authenticate to the console, and other AWS resource.


answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions