Menu
AWS Cloud9
User Guide

Advanced Team Setup for AWS Cloud9

To set up to use AWS Cloud9, follow one of these sets of procedures, depending on how you plan to use AWS Cloud9.

Usage pattern Follow these procedures

I will always be the only one using my own AWS account, and I don't need to share my AWS Cloud9 development environments with anyone else.

Express Setup

Multiple people will be using a single AWS account to create and share environments within that account.

Team Setup

Multiple people will be using a single AWS account, and I need to restrict creating environments within that account to control costs.

This topic

This topic assumes you have already completed the setup steps in Team Setup.

In Team Setup, you created IAM groups and added AWS Cloud9 access permissions directly to those groups, to ensure that users in those groups can access AWS Cloud9. In this topic, you will add more access permissions to restrict the kinds of environments that users in those groups can create. This can help control costs related to AWS Cloud9 in an AWS account.

To add these access permissions, you create your own set of policies in IAM that define the AWS access permissions you want to enforce. (We call each of these a customer-managed policy.) Then you attach those customer-managed policies to the IAM groups that the users belong to. (In some scenarios, you must also detach existing AWS managed policies that are already attached to those IAM groups.) To set this up, follow the procedures in this topic.

Note

The following procedures cover attaching and detaching policies for AWS Cloud9 users groups only. These procedure assume you already a separate AWS Cloud9 users group and AWS Cloud9 administrators group and that you have only a limited number of users in the AWS Cloud9 administrators group. This AWS security best practice can help you better control, track, and troubleshoot issues with AWS resource access.

Step 1: Create a Customer-Managed Policy

  1. Sign in to the AWS Management Console, if you are not already signed in.

    We recommend you sign in using credentials for an IAM administrator user in your AWS account. If you cannot do this, check with your AWS account administrator.

  2. Open the IAM console. To do this, in the console's navigation bar, choose Services. Then choose IAM.

  3. In the service's navigation pane, choose Policies.

  4. Choose Create policy.

  5. In the JSON tab, paste one of our suggested Customer-Managed Policy Examples.

    Note

    You can also create your own customer-managed policies. For more information, see the IAM JSON Policy Reference in the IAM User Guide and the AWS services' documentation.

  6. Choose Review policy.

  7. On the Review policy page, type a Name and an optional Description for the policy, and then choose Create policy.

Repeat this step for each additional customer-managed policy that you want to create.

Step 2: Add Customer-Managed Policies to a Group

  1. With the IAM console open from the previous procedure, in the service's navigation pane, choose Groups.

  2. Choose the group's name.

  3. On the Permissions tab, for Managed Policies, choose Attach Policy.

  4. In the list of policy names, choose the box next to each customer-managed policies you want to attach to the group. (If you don't see a specific policy name in the list, type the policy name in the Filter box to display it.)

  5. Choose Attach Policy.

Customer-Managed Policy Examples for Teams Using AWS Cloud9

Following are some examples of policies you can use to restrict the kinds of environments that users in a group can create in an AWS account.

Prevent Users in a Group from Creating EC2 Environments

The following customer-managed policy, when attached to an AWS Cloud9 users group, prevents those users from creating EC2 environments in an AWS account. This policy assumes you haven't also attached a policy that prevents users in that group from creating SSH environments. Otherwise, those users won't be able to create environments at all.

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": "cloud9:CreateEnvironmentEC2", "Resource": "*" } ] }

Note that the preceding customer-managed policy explicitly overrides "Effect": "Allow" for "Action": "cloud9:CreateEnvironmentEC2" on "Resource": "*" in the AWSCloud9User managed policy that is already attached to the AWS Cloud9 users group.

Allow Users in a Group to Create EC2 Environments Only with Specific Amazon EC2 Instance Types

The following customer-managed policy, when attached to an AWS Cloud9 users group, allows those users to create EC2 environments that only use instance types starting with t2 in an AWS account. This policy assumes you haven't also attached a policy that prevents users in that group from creating EC2 environments. Otherwise, those users won't be able to create EC2 environments at all.

You can replace "t2.*" in the following policy with a different instance class (for example, "m3.*"). Or you can restrict it to multiple instance classes or instance types (for example, [ "t2.*", "m3.*" ] or [ "t2.nano", t2.micro" ]).

For an AWS Cloud9 users group, detach the AWSCloud9User managed policy from the group, and then add the following customer-managed policy in its place. (If you do not detach the AWSCloud9User managed policy, the following customer-managed policy will have no effect.)

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloud9:CreateEnvironmentSSH", "cloud9:ValidateEnvironmentName", "cloud9:GetUserPublicKey", "cloud9:UpdateUserSettings", "cloud9:GetUserSettings", "iam:GetUser", "iam:ListUsers", "ec2:DescribeVpcs", "ec2:DescribeSubnets" ], "Resource": "*" }, { "Effect": "Allow", "Action": "cloud9:CreateEnvironmentEC2", "Resource": "*", "Condition": { "StringLike": { "cloud9:InstanceType": "t2.*" } } }, { "Effect": "Allow", "Action": [ "cloud9:DescribeEnvironmentMemberships" ], "Resource": [ "*" ], "Condition": { "Null": { "cloud9:UserArn": "true", "cloud9:EnvironmentId": "true" } } }, { "Effect": "Allow", "Action": [ "iam:CreateServiceLinkedRole" ], "Resource": "*", "Condition": { "StringLike": { "iam:AWSServiceName": "cloud9.amazonaws.com" } } } ] }

Note that the preceding customer-managed policy also allows those users to create SSH environments. To prevent those users from creating SSH environments altogether, remove "cloud9:CreateEnvironmentSSH", from the preceding customer-managed policy.

For additional examples, see the Customer-Managed Policy Examples in Authentication and Access Control.