Menu
AWS Cloud9
User Guide

Access Permissions Reference for AWS Cloud9

Access to AWS Cloud9 requires AWS access credentials. Those credentials must have permissions to do things such as create, share, or delete an AWS Cloud9 development environment. The following sections describe how you can use AWS Identity and Access Management (IAM) to allow or deny access to your AWS Cloud9 resources and then map those permissions to credentials.

Overview

This section provides an overview of the IAM authentication and access control model that applies to AWS Cloud9.

Note

If you just want to set up predefined sets of access permissions for common usage scenarios and user types, skip ahead to AWS Managed (Predefined) Policies for AWS Cloud9.

Authentication

You can access AWS as any of the following types of identities:

AWS account root user

When you sign up for AWS, you provide an email address and password that is associated with your AWS account. These are your root credentials, and they provide complete access to all of your AWS resources.

Important

As an AWS security best practice, we recommend that you use the root credentials only to create an IAM administrator group with an IAM administrator user. This is a group that gives the user full permissions to your AWS account. Then you can use this administrator user to create other IAM users and roles with limited permissions. For more information, see Create Individual IAM Users and Creating Your First IAM Admin User and Group in the IAM User Guide.

IAM user

An IAM user is simply an identity within your AWS account that has specific custom permissions (for example, permissions to create an AWS Cloud9 development environment). You can use an IAM user name and password to sign in to secure AWS webpages like the AWS Cloud9 console, AWS Management Console, AWS Discussion Forums, and AWS Support Support Center.

In addition to a user name and password, you can also generate access keys for each user. You can use these keys when you access AWS services programmatically, either through one of the several AWS SDKs or by using the AWS Command Line Interface (AWS CLI). The AWS SDKs and the AWS CLI use these access keys to cryptographically sign your request. If you don't use these tools, you must sign the request yourself. AWS Cloud9 supports Signature Version 4, a protocol for authenticating inbound API requests. For more information about authenticating requests, see Signature Version 4 Signing Process in the Amazon Web Services General Reference.

IAM role

An IAM role is another IAM identity you can create in your account that has specific permissions. It's similar to an IAM user, but it isn't associated with a specific person. An IAM role enables you to obtain temporary access keys that can be used to access AWS services and resources. IAM roles with temporary credentials are useful in the following situations:

AWS service access

You can use an IAM role in your account to grant an AWS service permissions to access your account's resources. For example, you can create a role that allows AWS Lambda to access an Amazon S3 bucket on your behalf, and then load data stored in the bucket into an Amazon Redshift. For more information, see Creating a Role to Delegate Permissions to an AWS Service in the IAM User Guide.

Applications running on Amazon EC2

Instead of storing access keys within an Amazon EC2 instance for use by applications running on the instance and making AWS API requests, you can use an IAM role to manage temporary credentials for these applications. To assign an AWS role to an Amazon EC2 instance and make it available to all of its applications, you can create an instance profile that is attached to the instance. An instance profile contains the role and enables programs running on the Amazon EC2 instance to get temporary credentials. For more information, see Create and Use an Instance Profile to Manage Temporary Credentials and Using an IAM Role to Grant Permissions to Applications Running on Amazon EC2 Instances in the IAM User Guide.

Note

Instead of attaching an instance profile to an Amazon EC2 instance that connects to an environment, AWS Cloud9 can automatically set up and manage temporary credentials on your behalf in an EC2 environment. For more information, see AWS Managed Temporary Credentials.

Federated user access

Instead of creating an IAM user, you can use pre-existing user identities from AWS Directory Service, your enterprise user directory, or a web identity provider. These are known as federated users. AWS assigns a role to a federated user when access is requested through an identity provider. For more information, see Federated Users and Roles in the IAM User Guide.

Access Control

You can have valid credentials to authenticate your requests, but unless you have permissions, you cannot create or access AWS Cloud9 resources. For example, you must have permissions to create, share, or delete an AWS Cloud9 development environment.

Every AWS resource is owned by an AWS account, and permissions to create or access a resource are governed by permissions policies. An account administrator can attach permissions policies to IAM identities (that is, users, groups, and roles).

When you grant permissions, you decide who is getting the permissions, the resources they can access, and the actions that can be performed on those resources.

AWS Cloud9 Resources and Operations

In AWS Cloud9, the primary resource is an AWS Cloud9 development environment. In a policy, you use an Amazon Resource Name (ARN) to identify the resource that the policy applies to. The following table lists environment ARNs. For more information, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the Amazon Web Services General Reference.

Resource type ARN format

Environment

arn:aws:cloud9:REGION_ID:ACCOUNT_ID:environment:ENVIRONMENT_ID

Every environment owned by the specified account in the specified region

arn:aws:cloud9:REGION_ID:ACCOUNT_ID:environment:*

Every environment owned by the specified account in the specified region

arn:aws:cloud9:REGION_ID:ACCOUNT_ID:*

Every AWS Cloud9 resource, regardless of account and region

arn:aws:cloud9:*

For example, you can indicate a specific environment in your statement using its ARN, as follows.

Copy
"Resource": "arn:aws:cloud9:us-east-2:123456789012:environment:70d899206236474f9590d93b7c41dfEX"

To specify all resources, use the wildcard character (*) in the Resource element, as follows.

Copy
"Resource": "*"

To specify multiple resources in a single statement, separate their ARNs with commas, as follows.

Copy
"Resource": [ "arn:aws:cloud9:us-east-2:123456789012:environment:70d899206236474f9590d93b7c41dfEX", "arn:aws:cloud9:us-east-2:123456789012:environment:81e900317347585a0601e04c8d52eaEX" ]

AWS Cloud9 provides a set of operations to work with AWS Cloud9 resources. For a list, see the AWS Cloud9 Permissions Reference.

Understanding Resource Ownership

The AWS account owns the resources that are created in the account, regardless of who created the resources. For example:

  • If you use the root account credentials of your AWS account to create an AWS Cloud9 development environment (which, although possible, is not recommend as an AWS security best practice), your AWS account is the owner of the environment.

  • If you create an IAM user in your AWS account and grant permissions to create an environment to that user, the user can create an environment. However, your AWS account, to which the user belongs, owns the environment.

  • If you create an IAM role in your AWS account with permissions to create an environment, anyone who can assume the role can create an environment. Your AWS account, to which the role belongs, owns the environment.

Managing Access to Resources

A permissions policy describes who has access to which resources.

Note

This section discusses the use of IAM in AWS Cloud9. It doesn't provide detailed information about the IAM service. For complete IAM documentation, see What Is IAM? in the IAM User Guide. For information about IAM policy syntax and descriptions, see the AWS IAM Policy Reference in the IAM User Guide.

Policies attached to an IAM identity are referred to as identity-based policies (or IAM policies). Policies attached to a resource are referred to as resource-based policies. AWS Cloud9 supports both identity-based and resource-based policies.

Each of the following API actions requires only an IAM policy to be attached to the IAM identity who wants to call these API actions.

  • CreateEnvironmentEC2

  • DescribeEnvironments

The following API actions require a resource-based policy. An IAM policy isn't required, but AWS Cloud9 will use an IAM policy if it is attached to the IAM identity who wants to call these API actions. The resource-based policy must be applied to the desired AWS Cloud9 resource.

  • CreateEnvironmentMembership

  • DeleteEnvironment

  • DeleteEnvironmentMembership

  • DescribeEnvironmentMemberships

  • DescribeEnvironmentStatus

  • UpdateEnvironment

  • UpdateEnvironmentMembership

For details on what each of these API actions do, see the AWS Cloud9 API Reference.

You cannot attach a resource-based policy to an AWS Cloud9 resource directly. Instead, AWS Cloud9 attaches the appropriate resource-based policies to AWS Cloud9 resources as you add, modify, update, or delete environment members.

To grant a user permissions to perform actions on AWS Cloud9 resources, you attach a permissions policy to an IAM group that the user belongs to. We recommend you attach an AWS managed (predefined) policy for AWS Cloud9 whenever possible. AWS managed policies are easier and faster to attach. They also contain predefined sets of access permissions for common usage scenarios and user types, such as full administration of an environment, environment users, and users who have only read-only access to an environment. For a list of AWS managed policies for AWS Cloud9, see AWS Managed (Predefined) Policies for AWS Cloud9.

For more detailed usage scenarios and unique user types, you can create and attach your own customer-managed policies. See Advanced Team Setup for AWS Cloud9 and Creating Customer-Managed Policies for AWS Cloud9.

To attach an IAM policy (AWS managed or customer-managed) to an IAM identity, see Attaching Managed Policies in the IAM User Guide.

AWS Managed (Predefined) Policies for AWS Cloud9

AWS addresses many common use cases by providing standalone IAM policies that AWS creates and administers. These AWS managed policies grant necessary permissions for common use cases so you can avoid having to investigate what permissions are needed. For example, you can use AWS managed policies for AWS Cloud9 to quickly and easily allow users to have full administration of an AWS Cloud9 development environment, act as an environment user, or use an environment they are added to. For more information, see AWS Managed Policies in the IAM User Guide.

To attach an AWS managed policy to an IAM identity, see Attaching Managed Policies in the IAM User Guide.

The following AWS managed policies, which you can attach to IAM identities in your account, are specific to AWS Cloud9.

  • AWSCloud9Administrator: Provides the following permissions:

    • Amazon EC2: get information about Amazon VPCs and subnets in their AWS account.

    • AWS Cloud9: all AWS Cloud9 actions in their AWS account.

    • IAM: get information about IAM users in their AWS account, and create the AWS Cloud9 service-linked role in their AWS account as needed.

    The AWSCloud9Administrator managed policy contains the following permissions:

    Copy
    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloud9:*", "ec2:DescribeSubnets", "ec2:DescribeVpcs", "iam:GetUser", "iam:ListUsers" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:CreateServiceLinkedRole" ], "Resource": "*", "Condition": { "StringLike": { "iam:AWSServiceName": "cloud9.amazonaws.com" } } } ] }
  • AWSCloud9User: Provides the following permissions:

    • Amazon EC2: get information about Amazon VPCs and subnets in their AWS account.

    • AWS Cloud9: create and get information about their environments, and get and change user settings for their environments.

    • IAM: get information about IAM users in their AWS account, and create the AWS Cloud9 service-linked role in their AWS account as needed.

    The AWSCloud9User managed policy contains the following permissions:

    Copy
    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloud9:CreateEnvironment*", "cloud9:GetUserPublicKey", "cloud9:GetUserSettings", "cloud9:UpdateUserSettings", "cloud9:ValidateEnvironmentName", "ec2:DescribeSubnets", "ec2:DescribeVpcs", "iam:GetUser", "iam:ListUsers" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "cloud9:DescribeEnvironmentMemberships" ], "Resource": "*", "Condition": { "Null": { "cloud9:UserArn": "true", "cloud9:EnvironmentId": "true" } } }, { "Effect": "Allow", "Action": [ "iam:CreateServiceLinkedRole" ], "Resource": "*", "Condition": { "StringLike": { "iam:AWSServiceName": "cloud9.amazonaws.com" } } } ] }
  • AWSCloud9EnvironmentMember: Provides the following permissions:

    • AWS Cloud9: get information about environments they've been invited to, and get user settings for environments they've been invited to.

    • IAM: get information about IAM users in their AWS account.

    The AWSCloud9EnvironmentMember managed policy contains the following permissions:

    Copy
    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloud9:GetUserSettings", "cloud9:UpdateUserSettings", "iam:GetUser", "iam:ListUsers" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "cloud9:DescribeEnvironmentMemberships" ], "Resource": "*", "Condition": { "Null": { "cloud9:UserArn": "true", "cloud9:EnvironmentId": "true" } } } ] }

Creating Customer-Managed Policies for AWS Cloud9

If none of the AWS managed policies meet your access control requirements, you can create and attach your own customer-managed policies.

To create a customer-managed policy, see Creating Customer Managed Policies in the IAM User Guide.

Specifying Policy Elements: Effects, Principals, Actions, and Resources

For each AWS Cloud9 resource, the service defines a set of API operations. To grant permissions for these API operations, AWS Cloud9 defines a set of actions that you can specify in a policy.

The following are the basic policy elements:

  • Effect: You specify the effect, either allow or deny, when the user requests the action. If you don't explicitly grant access to (allow) a resource, access is implicitly denied. You can also explicitly deny access to a resource. You might do this to ensure a user cannot access a resource, even if a different policy grants access.

  • Principal: In identity-based policies (IAM policies), the user the policy is attached to is the implicit principal. For resource-based policies, you specify the user, account, service, or other entity that you want to receive permissions.

  • Resource: You use an ARN to identify the resource that the policy applies to.

  • Action: You use action keywords to identify resource operations you want to allow or deny. For example, the cloud9:CreateEnvironmentEC2 permission gives the user permissions to perform the CreateEnvironmentEC2 operation.

To learn more about IAM policy syntax and descriptions, see the AWS IAM Policy Reference in the IAM User Guide.

For a table showing all of the AWS Cloud9 API actions and the resources they apply to, see the AWS Cloud9 Permissions Reference.

Customer-Managed Policy Examples

In this section, you can find example policies that grant permissions for AWS Cloud9 actions. You can adapt the following example IAM policies to allow or explicitly deny AWS Cloud9 access for your IAM identities.

To create or attach a customer-managed policy to an IAM identity, see Creating Customer Managed Policies and Attaching Managed Policies in the IAM User Guide.

Note

The following examples use the US East (Ohio) Region (us-east-2), a fictitious AWS account ID (123456789012), and a fictitious AWS Cloud9 development environment ID (81e900317347585a0601e04c8d52eaEX).

Get Information About Environments

The following example IAM policy statement, attached to an IAM entity, allows that entity to get information about any environment in their account.

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "cloud9:DescribeEnvironments", "Resource": "*" } ] }

Note that the preceding access permission is already included in the AWS managed policies AWSCloud9Administrator and AWSCloud9User.

Create EC2 Environments

The following example IAM policy statement, attached to an IAM entity, allows that entity to create AWS Cloud9 EC2 development environments in their account.

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "cloud9:CreateEnvironmentEC2", "Resource": "*" } ] }

Note that the preceding access permission is already included in the AWS managed policies AWSCloud9Administrator and AWSCloud9User.

Create EC2 Environments with Specific Amazon EC2 Instance Types

The following example IAM policy statement, attached to an IAM entity, allows that entity to create AWS Cloud9 EC2 development environments in their account. However, EC2 environments can use only the specified class of Amazon EC2 instance types.

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "cloud9:CreateEnvironmentEC2", "Resource": "*", "Condition": { "StringLike": { "cloud9:InstanceType": "t2.*" } } } ] }

Note that if the AWS managed policy AWSCloud9Administrator or AWSCloud9User is already attached to the IAM entity, those AWS managed policies will override the behavior of the preceding IAM policy statement, as those AWS managed policies are more permissive.

Create EC2 Environments in Specific Amazon VPC Subnets

The following example IAM policy statement, attached to an IAM entity, allows that entity to create AWS Cloud9 EC2 development environments in their account. However, EC2 environments can use only the specified Amazon VPC subnets.

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "cloud9:CreateEnvironmentEC2", "Resource": "*", "Condition": { "StringLike": { "cloud9:SubnetId": [ "subnet-12345678", "subnet-23456789" ] } } } ] }

Note that if the AWS managed policy AWSCloud9Administrator or AWSCloud9User is already attached to the IAM entity, those AWS managed policies will override the behavior of the preceding IAM policy statement, as those AWS managed policies are more permissive.

Create an EC2 Environment with a Specific Environment Name

The following example IAM policy statement, attached to an IAM entity, allows that entity to create an AWS Cloud9 EC2 development environment in their account. However, the EC2 environment can use only the specified name.

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "cloud9:CreateEnvironmentEC2", "Resource": "*", "Condition": { "StringEquals": { "cloud9:EnvironmentName": "my-demo-environment" } } } ] }

Note that if the AWS managed policy AWSCloud9Administrator or AWSCloud9User is already attached to the IAM entity, those AWS managed policies will override the behavior of the preceding IAM policy statement, as those AWS managed policies are more permissive.

Create SSH Environments Only

The following example IAM policy statement, attached to an IAM entity, allows that entity to create AWS Cloud9 SSH development environments in their account. However, the entity cannot create AWS Cloud9 EC2 development environments.

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "cloud9:CreateEnvironmentSSH", "Resource": "*" }, { "Effect": "Deny", "Action": "cloud9:CreateEnvironmentEC2", "Resource": "*" } ] }

Update Environments, or Prevent Updating an Environment

The following example IAM policy statement, attached to an IAM entity, allows that entity to change information about any AWS Cloud9 development environment in their account.

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "cloud9:UpdateEnvironment", "Resource": "*" } ] }

Note that the preceding access permission is already included in the AWS managed policy AWSCloud9Administrator.

The following example IAM policy statement, attached to an IAM entity, explicitly prevents that entity from changing information about the environment with the specified ARN.

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": "cloud9:UpdateEnvironment", "Resource": "arn:aws:cloud9:us-east-2:123456789012:environment:81e900317347585a0601e04c8d52eaEX" } ] }

Get Lists of Environment Members

The following example IAM policy statement, attached to an IAM entity, allows that entity to get a list of members for any environment in their account.

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "cloud9:DescribeEnvironmentMemberships", "Resource": "*" } ] }

Note that the preceding access permission is already included in the AWS managed policy AWSCloud9Administrator. Also note that the preceding access permission is more permissive than the equivalent access permission in the AWS managed policy AWSCloud9User.

Share Environments Only with a Specific User

The following example IAM policy statement, attached to an IAM entity, allows that entity to share any environment in their account with only the specified user.

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloud9:CreateEnvironmentMembership" ], "Resource": "*", "Condition": { "StringEquals": { "cloud9:UserArn": "arn:aws:iam::123456789012:user/MyDemoUser" } } } ] }

Note that if the AWS managed policy AWSCloud9Administrator or AWSCloud9User is already attached to the IAM entity, those AWS managed policies will override the behavior of the preceding IAM policy statement, as those AWS managed policies are more permissive.

Prevent Sharing Environments

The following example IAM policy statement, attached to an IAM entity, prevents that entity from sharing any environment in their account.

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "cloud9:CreateEnvironmentMembership", "cloud9:UpdateEnvironmentMembership" ], "Resource": "*" } ] }

Change, or Prevent Changing, the Settings of Environment Members

The following example IAM policy statement, attached to an IAM entity, allows that entity to change the settings of members in any environment in their account.

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "cloud9:UpdateEnvironmentMembership", "Resource": "*" } ] }

Note that the preceding access permission is already included in the AWS managed policy AWSCloud9Administrator.

The following example IAM policy statement, attached to an IAM entity, explicitly prevents that entity from changing the settings of members in the environment with the specified ARN.

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": "cloud9:UpdateEnvironmentMembership", "Resource": "arn:aws:cloud9:us-east-2:123456789012:environment:81e900317347585a0601e04c8d52eaEX" } ] }

Remove, or Prevent Removing, Environment Members

The following example IAM policy statement, attached to an IAM entity, allows that entity to remove any member from any environment in their account.

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "cloud9:DeleteEnvironmentMembership", "Resource": "*" } ] }

Note that the preceding access permission is already included in the AWS managed policy AWSCloud9Administrator.

The following example IAM policy statement, attached to an IAM entity, explicitly prevents that entity from removing any member from the environment with the specified ARN.

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": "cloud9:DeleteEnvironmentMembership", "Resource": "arn:aws:cloud9:us-east-2:123456789012:environment:81e900317347585a0601e04c8d52eaEX" } ] }

Delete Environments, or Prevent Deleting an Environment

The following example IAM policy statement, attached to an IAM entity, allows that entity to delete any environment in their account.

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "cloud9:DeleteEnvironment", "Resource": "*" } ] }

Note that the preceding access permission is already included in the AWS managed policy AWSCloud9Administrator.

The following example IAM policy statement, attached to an IAM entity, explicitly prevents that entity from deleting the environment with the specified ARN.

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": "cloud9:DeleteEnvironment", "Resource": "arn:aws:cloud9:us-east-2:123456789012:environment:81e900317347585a0601e04c8d52eaEX" } ] }

AWS Cloud9 Permissions Reference

You can use the following table as a reference when you are setting up access control and writing permissions policies that you can attach to an IAM identity (identity-based policies).

You can use AWS-wide condition keys in your AWS Cloud9 policies to express conditions. For a list, see Condition in the IAM User Guide.

You specify the actions in the policy's Action field. To specify an action, use the cloud9: prefix followed by the API operation name (for example, "Action": "cloud9:DescribeEnvironments"). To specify multiple actions in a single statement, separate them with commas (for example, "Action": [ "cloud9:UpdateEnvironment", "cloud9:DeleteEnvironment" ]).

Using Wildcard Characters

You specify an ARN, with or without a wildcard character (*), as the resource value in the policy's Resource field. You can use a wildcard to specify multiple actions or resources. For example, cloud9:* specifies all AWS Cloud9 actions and cloud9:Describe* specifies all AWS Cloud9 actions that begin with Describe.

The following example allows an IAM entity to get information about environments and environment memberships for any environment in their account.

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloud9:Describe*" ], "Resource": "*" } ] }

Note that the preceding access permission is already included in the AWS managed policy AWSCloud9Administrator. Also note that the preceding access permission is more permissive than the equivalent access permission in the AWS managed policy AWSCloud9User.

AWS Cloud9 API Operations and Required Permissions for Actions

AWS Cloud9 operation Required permission (API action) Resource

CreateEnvironmentEC2

cloud9:CreateEnvironmentEC2

Required to create an AWS Cloud9 EC2 development environment.

*

CreateEnvironmentMembership

cloud9:CreateEnvironmentMembership

Required to add a member to an environment.

arn:aws:cloud9:REGION_ID:ACCOUNT_ID:environment:ENVIRONMENT_ID

DeleteEnvironment

cloud9:DeleteEnvironment

Required to delete an environment.

arn:aws:cloud9:REGION_ID:ACCOUNT_ID:environment:ENVIRONMENT_ID

DeleteEnvironmentMembership

cloud9:DeleteEnvironmentMembership

Required to remove a member from an environment.

arn:aws:cloud9:REGION_ID:ACCOUNT_ID:environment:ENVIRONMENT_ID

DescribeEnvironmentMemberships

cloud9:DescribeEnvironmentMemberships

Required to get a list of members in an environment.

*

DescribeEnvironments

cloud9:DescribeEnvironments

Required to get information about an environment.

arn:aws:cloud9:REGION_ID:ACCOUNT_ID:environment:ENVIRONMENT_ID

DescribeEnvironmentStatus

cloud9:DescribeEnvironmentStatus

Required to get information about the status of an environment.

arn:aws:cloud9:REGION_ID:ACCOUNT_ID:environment:ENVIRONMENT_ID

UpdateEnvironment

cloud9:UpdateEnvironment

Required to update settings for an environment.

arn:aws:cloud9:REGION_ID:ACCOUNT_ID:environment:ENVIRONMENT_ID

UpdateEnvironmentMembership

cloud9:UpdateEnvironmentMembership

Required to update settings for a member in an environment.

arn:aws:cloud9:REGION_ID:ACCOUNT_ID:environment:ENVIRONMENT_ID

AWS Managed Temporary Credentials

For an AWS Cloud9 EC2 development environment, AWS Cloud9 makes temporary AWS access credentials available to you in the environment. We call these AWS managed temporary credentials. This provides the following benefits:

  • You don't need to store the permanent AWS access credentials of an AWS entity (for example, an IAM user) anywhere in the environment. This prevents those credentials from being accessed by environment members without your knowledge and approval.

  • You don't need to manually set up, manage, or attach an instance profile to the Amazon EC2 instance that connects to the environment. (An instance profile is another approach for managing temporary AWS access credentials.)

  • AWS Cloud9 continually renews its temporary credentials, so a single set of credentials can only be used for a limited time. This is an AWS security best practice. For more information, see Creating and Updating AWS Managed Temporary Credentials.

  • AWS Cloud9 puts additional restrictions on how its temporary credentials can be used to access AWS actions and resources from the environment. This is also an AWS security best practice.

Here's how AWS managed temporary credentials work whenever an EC2 environment tries to access an AWS service on behalf of an AWS entity (for example, an IAM user):

  1. AWS Cloud9 checks to see if the calling AWS entity (for example, the IAM user) has permissions in IAM to take the requested action for the requested resource in AWS. If the permission doesn't exist or is explicitly denied, the request fails.

  2. AWS Cloud9 checks AWS managed temporary credentials to see if its permissions allow the requested action for the requested resource in AWS. If the permission doesn't exist or is explicitly denied, the request fails. For a list of permissions that AWS managed temporary credentials support, see Actions Supported by AWS Managed Temporary Credentials.

  3. If both the AWS entity and AWS managed temporary credentials allow the requested action for the requested resource, the request succeeds.

  4. If either the AWS entity or AWS managed temporary credentials explicitly deny (or fail to explicitly allow) the requested action for the requested resource, the request fails. This means that even if the calling AWS entity has the correct permissions, the request will fail if AWS Cloud9 doesn't also explicitly allow it. Likewise, if AWS Cloud9 allows a specific action to be taken for a specific resource, the request will fail if the AWS entity doesn't also explicitly allow it.

The owner of an EC2 environment can turn on or off AWS managed temporary credentials for that environment at any time, as follows:

  1. With the environment open, in the AWS Cloud9 IDE, on the menu bar choose AWS Cloud9, Preferences.

  2. In the Preferences tab, in the navigation pane, choose AWS Settings, Credentials.

  3. Use AWS managed temporary credentials to turn AWS managed temporary credentials on or off.

If you turn off AWS managed temporary credentials, by default the environment cannot access any AWS services, regardless of the AWS entity who makes the request. If you cannot or do not want to turn on AWS managed temporary credentials for an environment, but you still need the environment to access AWS services, consider the following alternatives:

The preceding alternatives override all permissions that are allowed (or denied) by AWS managed temporary credentials in an EC2 environment.

Actions Supported by AWS Managed Temporary Credentials

For an AWS Cloud9 EC2 development environment, AWS managed temporary credentials allow all AWS actions for all AWS resources in the caller's AWS account, with the following restrictions:

  • For IAM, only the following actions are allowed:

    • iam:AttachRolePolicy

    • iam:ChangePassword

    • iam:CreatePolicy

    • iam:CreatePolicyVersion

    • iam:CreateRole

    • iam:CreateServiceLinkedRole

    • iam:DeletePolicy

    • iam:DeletePolicyVersion

    • iam:DeleteRole

    • iam:DeleteRolePolicy

    • iam:DeleteSSHPublicKey

    • iam:DetachRolePolicy

    • iam:GetInstanceProfile

    • iam:GetPolicy

    • iam:GetPolicyVersion

    • iam:GetRole

    • iam:GetSSHPublicKey

    • iam:GetUser

    • iam:List*

    • iam:PassRole

    • iam:PutRolePolicy

    • iam:SetDefaultPolicyVersion

    • iam:UpdateAssumeRolePolicy

    • iam:UpdateRoleDescription

    • iam:UpdateSSHPublicKey

    • iam:UploadSSHPublicKey

  • All IAM actions that interact with roles are allowed only for role names starting with cloud9-. However, iam:PassRole works with all role names.

  • For AWS Security Token Service (AWS STS), only the following actions are allowed:

    • sts:GetCallerIdentity

    • sts:DecodeAuthorizationMessage

  • All supported AWS actions are restricted to the IP address of the environment. This is an AWS security best practice.

If AWS Cloud9 doesn't support an action or resource that you need an EC2 environment to access, or if AWS managed temporary credentials is turned off for an EC2 environment and you cannot turn it back on, consider the following alternatives:

The preceding alternatives override all permissions that are allowed (or denied) by AWS managed temporary credentials in an EC2 environment.

Creating and Updating AWS Managed Temporary Credentials

For an AWS Cloud9 EC2 development environment, AWS managed temporary credentials are created the first time you open the environment.

AWS managed temporary credentials are updated under any of the following conditions:

  • Whenever a certain period of time passes. Currently, this is every 5 minutes.

  • Whenever you reload the web browser tab that displays the IDE for the environment.

  • When the timestamp that is listed in the ~/.aws/credentials file for the environment is reached.

  • If the AWS managed temporary credentials setting is set to off, whenever you turn it back on. (To view or change this setting, choose AWS Cloud, Preferences in the menu bar of the IDE. In the Preferences tab, in the navigation pane, choose AWS Settings, Credentials.)