Start a conversation

Configuring Your AWS Account for secure access from Engine Yard

Overview

This technical procedure outlines how to secure an AWS account that is connected to an Engine Yard (EY) Cloud account. The strategy focuses on:

  • Implementing strict permissions management

  • Enforcing IP-based access restrictions

The procedure includes configuring AWS Service Control Policies (SCPs) and adjusting IAM user roles that the Engine Yard platform relies on to manage AWS resources.

Each of the following sections addresses one of the three IAM users utilized by the Engine Yard platform. This guide assumes the reader is familiar with the AWS IAM Console.

ey_support

This user grants EY Support staff access to the AWS account for diagnostic purposes and configuration fixes. 

As it stands today, the user has full admin permissions in the account. Because of this, access to the AWS account by using it is restricted to connections coming from the company's VPN endpoint. 

As of May 2024, the authorized IP is:

52.6.229.154/32

To secure the account, copy the content from the attached file `iam_policy-ey_support.json` and add it as an inline policy.

ey_admin

This user enables the Engine Yard Platform to programmatically manage AWS resources via the AWS API.

As it stands today, this user has full admin permissions in the account. Because of this, access to the AWS account through this user and its API is allowed only from IPs belonging to the EY backend

To secure access to this account in this way, copy the content from the attached file `iam_policy-ey_admin.json` and add it as an inline policy. 

Validate that the EYC Platform continues to work as expected, relying on CloudTrail or a similar tool to follow up and review the accesses.

ey_instance

This user allows the instances managed by the EY Platform to access the AWS S3 API in order to create files and folders (buckets) on the account. The uses revolve around downloading custom Chef recipes and managing backups. 

As it stands today, this user has several permissions to S3 and the EC2 API in the account. Because the credentials are installed on the instances themselves, the restrictions on usage are more around the permissions for operations than on source IPs

To secure access to this account in this way, copy the content from the attached file `iam_policy-ey_instance.json` and add it as an inline policy. Also, remove the previous ones about S3, ronin, and security groups, as these policies are no longer used. Validate that the EYC Platform continues to work as expected, relying on CloudTrail or a similar tool to follow up and review the accesses.

Other considerations

For AWS accounts managed by customers, it is highly recommended to enable AWS GuardDuty. This enables:

  • Continuous security monitoring

  • Detection of malicious or unauthorized behavior

  • Enhanced support investigations by EY staff


iam_policy-ey_admin.json

  1. 3 KB
  2. View
  3. Download

iam_policy-ey_support.json

  1. 0 KB
  2. View
  3. Download

iam_policy-ey_instance.json

  1. 0 KB
  2. View
  3. Download
Download all
Choose files or drag and drop files
Was this article helpful?
Yes
No
  1. Aditi Garg

  2. Posted

Comments