How AWS Cloud9 works with IAM - AWS Cloud9

How AWS Cloud9 works with IAM

AWS Identity and Access Management is used to manage the permissions that allow you to work with both AWS Cloud9 development environments and other AWS services and resources.

AWS Cloud9 resources and operations

In AWS Cloud9, the primary resource is an AWS Cloud9 development environment. In a policy, you use an Amazon Resource Name (ARN) to identify the resource that the policy applies to. The following table lists environment ARNs. For more information, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the Amazon Web Services General Reference.

Resource type ARN format

Environment

arn:aws:cloud9:REGION_ID:ACCOUNT_ID:environment:ENVIRONMENT_ID

Every environment owned by the specified account in the specified AWS Region

arn:aws:cloud9:REGION_ID:ACCOUNT_ID:environment:*

Every environment owned by the specified account in the specified Region

arn:aws:cloud9:REGION_ID:ACCOUNT_ID:*

Every AWS Cloud9 resource, regardless of account and Region

arn:aws:cloud9:*

For example, you can indicate a specific environment in your statement using its ARN, as follows.

"Resource": "arn:aws:cloud9:us-east-2:123456789012:environment:70d899206236474f9590d93b7c41dfEX"

To specify all resources, use the wildcard character (*) in the Resource element, as follows.

"Resource": "*"

To specify multiple resources in a single statement, separate their ARNs with commas, as follows.

"Resource": [ "arn:aws:cloud9:us-east-2:123456789012:environment:70d899206236474f9590d93b7c41dfEX", "arn:aws:cloud9:us-east-2:123456789012:environment:81e900317347585a0601e04c8d52eaEX" ]

AWS Cloud9 provides a set of operations to work with AWS Cloud9 resources. For a list, see the AWS Cloud9 permissions reference.

Understanding resource ownership

The AWS account owns the resources that are created in the account, regardless of who created the resources.

For example:

  • If you use the root account credentials of your AWS account to create an AWS Cloud9 development environment (which, although possible, isn't recommend as an AWS security best practice), your AWS account is the owner of the environment.

  • If you create an IAM user in your AWS account and grant permissions to create an environment to that user, the user can create an environment. However, your AWS account, to which the user belongs, owns the environment.

  • If you create an IAM role in your AWS account with permissions to create an environment, anyone who can assume the role can create an environment. Your AWS account, to which the role belongs, owns the environment.

Managing access to resources

A permissions policy describes who has access to which resources.

Note

This section discusses the use of IAM in AWS Cloud9. It doesn't provide detailed information about the IAM service. For complete IAM documentation, see What Is IAM? in the IAM User Guide. For information about IAM policy syntax and descriptions, see the IAM JSON Policy Reference in the IAM User Guide.

Policies attached to an IAM identity are referred to as identity-based policies (or IAM policies). Policies attached to a resource are referred to as resource-based policies. AWS Cloud9 supports both identity-based and resource-based policies.

Each of the following API actions requires only an IAM policy to be attached to the IAM identity that wants to call these API actions:

  • CreateEnvironmentEC2

  • DescribeEnvironments

The following API actions require a resource-based policy. An IAM policy isn't required, but AWS Cloud9 will use an IAM policy if it is attached to the IAM identity that wants to call these API actions. The resource-based policy must be applied to the desired AWS Cloud9 resource:

  • CreateEnvironmentMembership

  • DeleteEnvironment

  • DeleteEnvironmentMembership

  • DescribeEnvironmentMemberships

  • DescribeEnvironmentStatus

  • UpdateEnvironment

  • UpdateEnvironmentMembership

For details on what each of these API actions does, see the AWS Cloud9 API Reference.

You cannot attach a resource-based policy to an AWS Cloud9 resource directly. Instead, AWS Cloud9 attaches the appropriate resource-based policies to AWS Cloud9 resources as you add, modify, update, or delete environment members.

To grant a user permissions to perform actions on AWS Cloud9 resources, you attach a permissions policy to an IAM group that the user belongs to. We recommend that you attach an AWS managed (predefined) policy for AWS Cloud9 whenever possible. AWS managed policies are easier and faster to attach. They also contain predefined sets of access permissions for common usage scenarios and user types, such as full administration of an environment, environment users, and users who have only read-only access to an environment. For a list of AWS managed policies for AWS Cloud9, see AWS managed (predefined) policies for AWS Cloud9.

For more detailed usage scenarios and unique user types, you can create and attach your own customer managed policies. See Additional Setup Options for AWS Cloud9 (Team and Enterprise) and Creating customer managed policies for AWS Cloud9.

To attach an IAM policy (AWS managed or customer managed) to an IAM identity, see Attaching IAM Policies (Console) in the IAM User Guide.

AWS managed (predefined) policies for AWS Cloud9

AWS addresses many common use cases by providing standalone IAM policies that AWS creates and administers. These AWS managed policies grant necessary permissions for common use cases so you can avoid having to investigate what permissions are needed. For example, you can use AWS managed policies for AWS Cloud9 to quickly and easily allow users to have full administration of an AWS Cloud9 development environment, act as an environment user, or use an environment they are added to. For more information, see AWS Managed Policies in the IAM User Guide.

To attach an AWS managed policy to an IAM identity, see Attaching IAM Policies (Console) in the IAM User Guide.

The following AWS managed policies, which you can attach to IAM identities in your account, are specific to AWS Cloud9:

  • AWSCloud9Administrator – Provides the following permissions:

    • Amazon EC2 – Get information about multiple Amazon VPC and subnet resources in their AWS account.

    • AWS Cloud9 – All AWS Cloud9 actions in their AWS account.

    • IAM – Get information about IAM users in their AWS account, and create the AWS Cloud9 service-linked role in their AWS account as needed.

    • Systems Manager– Allow the user to call StartSession to initiate a connection to an instance for a Session Manager session. This permission is required for users opening an environment that communicates with its EC2 instance through Systems Manager. For more information, see Accessing no-ingress EC2 instances with AWS Systems Manager

    The AWSCloud9Administrator managed policy contains the following permissions.

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloud9:*", "ec2:DescribeSubnets", "ec2:DescribeVpcs", "iam:GetUser", "iam:ListUsers" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:CreateServiceLinkedRole" ], "Resource": "*", "Condition": { "StringLike": { "iam:AWSServiceName": "cloud9.amazonaws.com" } } } { "Effect": "Allow", "Action": "ssm:StartSession", "Resource": "arn:aws:ec2:*:*:instance/*", "Condition": { "StringLike": { "ssm:resourceTag/aws:cloud9:environment": "*" }, "StringEquals": { "aws:CalledViaFirst": "cloud9.amazonaws.com" } } }, { "Effect": "Allow", "Action": [ "ssm:StartSession" ], "Resource": [ "arn:aws:ssm:*:*:document/*" ] } ] }
  • AWSCloud9User – Provides the following permissions:

    • Amazon EC2 – Get information about multiple Amazon VPC and subnet resources in their AWS account.

    • – Create and get information about their environments, and get and change user settings for their environments.

    • IAM – Get information about IAM users in their AWS account, and create the AWS Cloud9 service-linked role in their AWS account as needed.

    • Systems Manager – Allow the user to call StartSession to initiate a connection to an instance for a Session Manager session. This permission is required for users opening an environment that communicates with its EC2 instance through Systems Manager. For more information, see Accessing no-ingress EC2 instances with AWS Systems Manager

    The AWSCloud9User managed policy contains the following permissions.

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloud9:CreateEnvironmentEC2", "cloud9:CreateEnvironmentSSH", "cloud9:GetUserPublicKey", "cloud9:GetUserSettings", "cloud9:UpdateUserSettings", "cloud9:ValidateEnvironmentName", "ec2:DescribeSubnets", "ec2:DescribeVpcs", "iam:GetUser", "iam:ListUsers" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "cloud9:DescribeEnvironmentMemberships" ], "Resource": "*", "Condition": { "Null": { "cloud9:UserArn": "true", "cloud9:EnvironmentId": "true" } } }, { "Effect": "Allow", "Action": [ "iam:CreateServiceLinkedRole" ], "Resource": "*", "Condition": { "StringLike": { "iam:AWSServiceName": "cloud9.amazonaws.com" } } } { "Effect": "Allow", "Action": "ssm:StartSession", "Resource": "arn:aws:ec2:*:*:instance/*", "Condition": { "StringLike": { "ssm:resourceTag/aws:cloud9:environment": "*" }, "StringEquals": { "aws:CalledViaFirst": "cloud9.amazonaws.com" } } }, { "Effect": "Allow", "Action": [ "ssm:StartSession" ], "Resource": [ "arn:aws:ssm:*:*:document/*" ] } ] }
  • AWSCloud9EnvironmentMember – Provides the following permissions:

    • AWS Cloud9 – Get information about and user settings for environments they've been invited to.

    • IAM – Get information about IAM users in their AWS account.

    • Systems Manager – Allow the user to call StartSession to initiate a connection to an instance for a Session Manager session. This permission is required for users opening an environment that communicates with its EC2 instance through Systems Manager. For more information, see Accessing no-ingress EC2 instances with AWS Systems Manager

    The AWSCloud9EnvironmentMember managed policy contains the following permissions.

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloud9:GetUserSettings", "cloud9:UpdateUserSettings", "iam:GetUser", "iam:ListUsers" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "cloud9:DescribeEnvironmentMemberships" ], "Resource": "*", "Condition": { "Null": { "cloud9:UserArn": "true", "cloud9:EnvironmentId": "true" } } } { "Effect": "Allow", "Action": "ssm:StartSession", "Resource": "arn:aws:ec2:*:*:instance/*", "Condition": { "StringLike": { "ssm:resourceTag/aws:cloud9:environment": "*" }, "StringEquals": { "aws:CalledViaFirst": "cloud9.amazonaws.com" } } }, { "Effect": "Allow", "Action": [ "ssm:StartSession" ], "Resource": [ "arn:aws:ssm:*:*:document/*" ] } ] }

Creating customer managed policies for AWS Cloud9

If none of the AWS managed policies meet your access control requirements, you can create and attach your own customer managed policies.

To create a customer managed policy, see Create an IAM Policy (Console) in the IAM User Guide.

Specifying policy elements: effects, principals, actions, and resources

For each AWS Cloud9 resource, the service defines a set of API operations. To grant permissions for these API operations, AWS Cloud9 defines a set of actions that you can specify in a policy.

The following are the basic policy elements:

  • Effect – You specify the effect, either allow or deny, when the user requests the action. If you don't explicitly grant access to (allow) a resource, access is implicitly denied. You can also explicitly deny access to a resource. You might do this to ensure a user can't access a resource, even if a different policy grants access.

  • Principal – In identity-based policies (IAM policies), the user the policy is attached to is the implicit principal. For resource-based policies, you specify the user, account, service, or other entity that you want to receive permissions.

  • Resource – Use an ARN to identify the resource that the policy applies to.

  • Action – Use action keywords to identify resource operations you want to allow or deny. For example, the cloud9:CreateEnvironmentEC2 permission gives the user permissions to perform the CreateEnvironmentEC2 operation.

To learn more about IAM policy syntax and descriptions, see the IAM JSON Policy Reference in the IAM User Guide.

For a table showing all of the AWS Cloud9 API actions and the resources they apply to, see the AWS Cloud9 permissions reference.

Customer managed policy examples

In this section, you can find example policies that grant permissions for AWS Cloud9 actions. You can adapt the following example IAM policies to allow or explicitly deny AWS Cloud9 access for your IAM identities.

To create or attach a customer managed policy to an IAM identity, see Create an IAM Policy (Console) and Attaching IAM Policies (Console) in the IAM User Guide.

Note

The following examples use the US East (Ohio) Region (us-east-2), a fictitious AWS account ID (123456789012), and a fictitious AWS Cloud9 development environment ID (81e900317347585a0601e04c8d52eaEX).

Get information about environments

The following example IAM policy statement, attached to an IAM entity, allows that entity to get information about any environment in their account.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "cloud9:DescribeEnvironments", "Resource": "*" } ] }
Note

The preceding access permission is already included in the AWS managed policies AWSCloud9Administrator and AWSCloud9User.

Create EC2 environments

The following example IAM policy statement, attached to an IAM entity, allows that entity to create AWS Cloud9 EC2 development environments in their account.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "cloud9:CreateEnvironmentEC2", "Resource": "*" } ] }
Note

The preceding access permission is already included in the AWS managed policies AWSCloud9Administrator and AWSCloud9User.

Create EC2 environments with specific Amazon EC2 instance types

The following example IAM policy statement, attached to an IAM entity, allows that entity to create AWS Cloud9 EC2 development environments in their account. However, EC2 environments can use only the specified class of Amazon EC2 instance types.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "cloud9:CreateEnvironmentEC2", "Resource": "*", "Condition": { "StringLike": { "cloud9:InstanceType": "t3.*" } } } ] }
Note

If the AWS managed policy AWSCloud9Administrator or AWSCloud9User is already attached to the IAM entity, that AWS managed policy overrides the behavior of the preceding IAM policy statement. This is because those AWS managed policies are more permissive.

Create EC2 environments in specific Amazon VPC subnets

The following example IAM policy statement, attached to an IAM entity, allows that entity to create AWS Cloud9 EC2 development environments in their account. However, EC2 environments can use only the specified Amazon VPC subnets.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "cloud9:CreateEnvironmentEC2", "Resource": "*", "Condition": { "StringLike": { "cloud9:SubnetId": [ "subnet-12345678", "subnet-23456789" ] } } } ] }
Note

If the AWS managed policy AWSCloud9Administrator or AWSCloud9User is already attached to the IAM entity, that AWS managed policy overrides the behavior of the preceding IAM policy statement. This is because those AWS managed policies are more permissive.

Create an EC2 environments with a specific environment name

The following example IAM policy statement, attached to an IAM entity, allows that entity to create an AWS Cloud9 EC2 development environment in their account. However, the EC2 environment can use only the specified name.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "cloud9:CreateEnvironmentEC2", "Resource": "*", "Condition": { "StringEquals": { "cloud9:EnvironmentName": "my-demo-environment" } } } ] }
Note

If the AWS managed policy AWSCloud9Administrator or AWSCloud9User is already attached to the IAM entity, that AWS managed policy overrides the behavior of the preceding IAM policy statement. This is because those AWS managed policies are more permissive.

Create SSH environments only

The following example IAM policy statement, attached to an IAM entity, allows that entity to create AWS Cloud9 SSH development environments in their account. However, the entity can't create AWS Cloud9 EC2 development environments.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "cloud9:CreateEnvironmentSSH", "Resource": "*" }, { "Effect": "Deny", "Action": "cloud9:CreateEnvironmentEC2", "Resource": "*" } ] }

Update environments or prevent updating an environment

The following example IAM policy statement, attached to an IAM entity, allows that entity to change information about any AWS Cloud9 development environment in their account.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "cloud9:UpdateEnvironment", "Resource": "*" } ] }
Note

The preceding access permission is already included in the AWS managed policy AWSCloud9Administrator.

The following example IAM policy statement, attached to an IAM entity, explicitly prevents that entity from changing information about the environment with the specified ARN.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": "cloud9:UpdateEnvironment", "Resource": "arn:aws:cloud9:us-east-2:123456789012:environment:81e900317347585a0601e04c8d52eaEX" } ] }

Get lists of environment members

The following example IAM policy statement, attached to an IAM entity, allows that entity to get a list of members for any environment in their account.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "cloud9:DescribeEnvironmentMemberships", "Resource": "*" } ] }
Note

The preceding access permission is already included in the AWS managed policy AWSCloud9Administrator. Also, the preceding access permission is more permissive than the equivalent access permission in the AWS managed policy AWSCloud9User.

Share environments only with a specific user

The following example IAM policy statement, attached to an IAM entity, allows that entity to share any environment in their account with only the specified user.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloud9:CreateEnvironmentMembership" ], "Resource": "*", "Condition": { "StringEquals": { "cloud9:UserArn": "arn:aws:iam::123456789012:user/MyDemoUser" } } } ] }
Note

If the AWS managed policy AWSCloud9Administrator or AWSCloud9User is already attached to the IAM entity, those AWS managed policies overrides the behavior of the preceding IAM policy statement. This is because those AWS managed policies are more permissive.

Prevent sharing environments

The following example IAM policy statement, attached to an IAM entity, prevents that entity from sharing any environment in their account.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "cloud9:CreateEnvironmentMembership", "cloud9:UpdateEnvironmentMembership" ], "Resource": "*" } ] }

Change, or prevent changing, the settings of environment members

The following example IAM policy statement, attached to an IAM entity, allows that entity to change the settings of members in any environment in their account.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "cloud9:UpdateEnvironmentMembership", "Resource": "*" } ] }
Note

The preceding access permission is already included in the AWS managed policy AWSCloud9Administrator.

The following example IAM policy statement, attached to an IAM entity, explicitly prevents that entity from changing the settings of members in the environment with the specified ARN.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": "cloud9:UpdateEnvironmentMembership", "Resource": "arn:aws:cloud9:us-east-2:123456789012:environment:81e900317347585a0601e04c8d52eaEX" } ] }

Remove, or prevent removing, environment members

The following example IAM policy statement, attached to an IAM entity, allows that entity to remove any member from any environment in their account.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "cloud9:DeleteEnvironmentMembership", "Resource": "*" } ] }
Note

The preceding access permission is already included in the AWS managed policy AWSCloud9Administrator.

The following example IAM policy statement, attached to an IAM entity, explicitly prevents that entity from removing any member from the environment with the specified ARN.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": "cloud9:DeleteEnvironmentMembership", "Resource": "arn:aws:cloud9:us-east-2:123456789012:environment:81e900317347585a0601e04c8d52eaEX" } ] }

Delete, or prevent deleting, an environment

The following example IAM policy statement, attached to an IAM entity, allows that entity to delete any environment in their account.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "cloud9:DeleteEnvironment", "Resource": "*" } ] }
Note

The preceding access permission is already included in the AWS managed policy AWSCloud9Administrator.

The following example IAM policy statement, attached to an IAM entity, explicitly prevents that entity from deleting the environment with the specified ARN.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": "cloud9:DeleteEnvironment", "Resource": "arn:aws:cloud9:us-east-2:123456789012:environment:81e900317347585a0601e04c8d52eaEX" } ] }

AWS Cloud9 permissions reference

You can use the following table as a reference when you're setting up access control and writing permissions policies to attach to an IAM identity (identity-based policies).

You can use AWS-wide condition keys in your AWS Cloud9 policies to express conditions. For a list, see IAM JSON Policy Elements: Condition in the IAM User Guide.

You specify the actions in the policy's Action field. To specify an action, use the cloud9: prefix followed by the API operation name (for example, "Action": "cloud9:DescribeEnvironments"). To specify multiple actions in a single statement, separate them with commas (for example, "Action": [ "cloud9:UpdateEnvironment", "cloud9:DeleteEnvironment" ]).

Using wildcard characters

You specify an ARN, with or without a wildcard character (*), as the resource value in the policy's Resource field. You can use a wildcard to specify multiple actions or resources. For example, cloud9:* specifies all AWS Cloud9 actions and cloud9:Describe* specifies all AWS Cloud9 actions that begin with Describe.

The following example allows an IAM entity to get information about environments and environment memberships for any environment in their account.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloud9:Describe*" ], "Resource": "*" } ] }
Note

The preceding access permission is already included in the AWS managed policy AWSCloud9Administrator. Also, that the preceding access permission is more permissive than the equivalent access permission in the AWS managed policy AWSCloud9User.

AWS Cloud9 API operations and required permissions for actions

AWS Cloud9 operation Required permission (API action) Resource

CreateEnvironmentEC2

cloud9:CreateEnvironmentEC2

Required to create an AWS Cloud9 EC2 development environment.

*

CreateEnvironmentMembership

cloud9:CreateEnvironmentMembership

Required to add a member to an environment.

arn:aws:cloud9:REGION_ID:ACCOUNT_ID:environment:ENVIRONMENT_ID

DeleteEnvironment

cloud9:DeleteEnvironment

Required to delete an environment.

arn:aws:cloud9:REGION_ID:ACCOUNT_ID:environment:ENVIRONMENT_ID

DeleteEnvironmentMembership

cloud9:DeleteEnvironmentMembership

Required to remove a member from an environment.

arn:aws:cloud9:REGION_ID:ACCOUNT_ID:environment:ENVIRONMENT_ID

DescribeEnvironmentMemberships

cloud9:DescribeEnvironmentMemberships

Required to get a list of members in an environment.

*

DescribeEnvironments

cloud9:DescribeEnvironments

Required to get information about an environment.

arn:aws:cloud9:REGION_ID:ACCOUNT_ID:environment:ENVIRONMENT_ID

DescribeEnvironmentStatus

cloud9:DescribeEnvironmentStatus

Required to get information about the status of an environment.

arn:aws:cloud9:REGION_ID:ACCOUNT_ID:environment:ENVIRONMENT_ID

UpdateEnvironment

cloud9:UpdateEnvironment

Required to update settings for an environment.

arn:aws:cloud9:REGION_ID:ACCOUNT_ID:environment:ENVIRONMENT_ID

UpdateEnvironmentMembership

cloud9:UpdateEnvironmentMembership

Required to update settings for a member in an environment.

arn:aws:cloud9:REGION_ID:ACCOUNT_ID:environment:ENVIRONMENT_ID

AWS managed temporary credentials

If you're just looking for the list of actions that AWS managed temporary credentials supports, skip ahead to Actions supported by AWS managed temporary credentials.

For an AWS Cloud9 EC2 development environment, AWS Cloud9 makes temporary AWS access credentials available to you in the environment. We call these AWS managed temporary credentials. This provides the following benefits:

  • You don't need to store the permanent AWS access credentials of an AWS entity (for example, an IAM user) anywhere in the environment. This prevents those credentials from being accessed by environment members without your knowledge and approval.

  • You don't need to manually set up, manage, or attach an instance profile to the Amazon EC2 instance that connects to the environment. (An instance profile is another approach for managing temporary AWS access credentials.)

  • AWS Cloud9 continually renews its temporary credentials, so a single set of credentials can be used only for a limited time. This is an AWS security best practice. For more information, see Creating and updating AWS managed temporary credentials.

  • AWS Cloud9 puts additional restrictions on how its temporary credentials can be used to access AWS actions and resources from the environment. This is also an AWS security best practice.

Important

Currently, if your environment’s EC2 instance is launched into a private subnet, you can't use AWS managed temporary credentials to allow the EC2 environment to access an AWS service on behalf of an AWS entity (an IAM user, for example).

For more information about when you can launch an EC2 instance into a private subnet, see Create a subnet for AWS Cloud9.

Here's how AWS managed temporary credentials work whenever an EC2 environment tries to access an AWS service on behalf of an AWS entity (for example, an IAM user):

  1. AWS Cloud9 checks to see if the calling AWS entity (for example, the IAM user) has permissions to take the requested action for the requested resource in AWS. If the permission doesn't exist or is explicitly denied, the request fails.

  2. AWS Cloud9 checks AWS managed temporary credentials to see if its permissions allow the requested action for the requested resource in AWS. If the permission doesn't exist or is explicitly denied, the request fails. For a list of permissions that AWS managed temporary credentials support, see Actions supported by AWS managed temporary credentials.

  • If both the AWS entity and AWS managed temporary credentials allow the requested action for the requested resource, the request succeeds.

  • If either the AWS entity or AWS managed temporary credentials explicitly deny (or fail to explicitly allow) the requested action for the requested resource, the request fails. This means that even if the calling AWS entity has the correct permissions, the request will fail if AWS Cloud9 doesn't also explicitly allow it. Likewise, if AWS Cloud9 allows a specific action to be taken for a specific resource, the request will fail if the AWS entity doesn't also explicitly allow it.

The owner of an EC2 environment can turn on or off AWS managed temporary credentials for that environment at any time, as follows:

  1. With the environment open, in the AWS Cloud9 IDE, on the menu bar choose AWS Cloud9, Preferences.

  2. On the Preferences tab, in the navigation pane, choose AWS Settings, Credentials.

  3. Use AWS managed temporary credentials to turn AWS managed temporary credentials on or off.

If you turn off AWS managed temporary credentials, by default the environment cannot access any AWS services, regardless of the AWS entity who makes the request. If you can't or don't want to turn on AWS managed temporary credentials for an environment, but you still need the environment to access AWS services, consider the following alternatives:

The preceding alternatives override all permissions that are allowed (or denied) by AWS managed temporary credentials in an EC2 environment.

Actions supported by AWS managed temporary credentials

For an AWS Cloud9 EC2 development environment, AWS managed temporary credentials allow all AWS actions for all AWS resources in the caller's AWS account, with the following restrictions:

  • For AWS Cloud9, only the following actions are allowed:

    • cloud9:CreateEnvironmentEC2

    • cloud9:CreateEnvironmentSSH

    • cloud9:DescribeEnvironmentMemberships

    • cloud9:DescribeEnvironments

    • cloud9:DescribeEnvironmentStatus

    • cloud9:UpdateEnvironment

  • For IAM, only the following actions are allowed:

    • iam:AttachRolePolicy

    • iam:ChangePassword

    • iam:CreatePolicy

    • iam:CreatePolicyVersion

    • iam:CreateRole

    • iam:CreateServiceLinkedRole

    • iam:DeletePolicy

    • iam:DeletePolicyVersion

    • iam:DeleteRole

    • iam:DeleteRolePolicy

    • iam:DeleteSSHPublicKey

    • iam:DetachRolePolicy

    • iam:GetInstanceProfile

    • iam:GetPolicy

    • iam:GetPolicyVersion

    • iam:GetRole

    • iam:GetRolePolicy

    • iam:GetSSHPublicKey

    • iam:GetUser

    • iam:List*

    • iam:PassRole

    • iam:PutRolePolicy

    • iam:SetDefaultPolicyVersion

    • iam:UpdateAssumeRolePolicy

    • iam:UpdateRoleDescription

    • iam:UpdateSSHPublicKey

    • iam:UploadSSHPublicKey

  • All IAM actions that interact with roles are allowed only for role names starting with Cloud9-. However, iam:PassRole works with all role names.

  • For AWS Security Token Service (AWS STS), only the following actions are allowed:

    • sts:GetCallerIdentity

    • sts:DecodeAuthorizationMessage

  • All supported AWS actions are restricted to the IP address of the environment. This is an AWS security best practice.

If AWS Cloud9 doesn't support an action or resource that you need an EC2 environment to access, or if AWS managed temporary credentials is turned off for an EC2 environment and you can't turn it back on, consider the following alternatives:

The preceding alternatives override all permissions that are allowed (or denied) by AWS managed temporary credentials in an EC2 environment.

Creating and updating AWS managed temporary credentials

For an AWS Cloud9 EC2 development environment, AWS managed temporary credentials are created the first time you open the environment.

AWS managed temporary credentials are updated under any of the following conditions:

  • Whenever a certain period of time passes. Currently, this is every five minutes.

  • Whenever you reload the web browser tab that displays the IDE for the environment.

  • When the timestamp that is listed in the ~/.aws/credentials file for the environment is reached.

  • If the AWS managed temporary credentials setting is set to off, whenever you turn it back on. (To view or change this setting, choose AWS Cloud9, Preferences in the menu bar of the IDE. On the Preferences tab, in the navigation pane, choose AWS Settings, Credentials.)

  • For security, AWS managed temporary credentials expire automatically after 15 minutes. For credentials to be refreshed, the environment owner must be connected to the AWS Cloud9 environment through the IDE. For more information on the role of the environment owner, see Controlling access to AWS managed temporary credentials.

Controlling access to AWS managed temporary credentials

A collaborator with AWS managed temporary credentials can use AWS Cloud9 to interact with other AWS services. To ensure that only trusted collaborators are provided with AWS managed temporary credentials, these credentials are disabled if a new member is added by anyone other than the environment owner. (The credentials are disabled by the deletion of the ~/.aws/credentials file.)

Important

AWS managed temporary credentials also expire automatically every 15 minutes. For the credentials to be refreshed so that collaborators can continue to use them, the environment owner must be connected to AWS Cloud9 environment through the IDE.

Only the environment owner can re-enable AWS managed temporary credentials so that they can be shared with other members. When the environment owner opens the IDE, a dialog box confirms that AWS managed temporary credentials are disabled. The environment owner can re-enable the credentials for all members or keep them disabled for all members.

Warning

To comply with best security practices, keep the managed temporary credentials disabled if you're not certain about the identity of the last user added to the environment. You can check the list of members with read/write permissions in the Collaborate window.