AWS: Is there a way to divvy up permissions to control stopping/starting VMs for a corporate account?

Question

My employer is asking me what hours I want to use AWS VMs.

They don't want to grant me full corporate access, because in the past people have shut down mission critical instances by mistake.

I'd like the flexibility to start/stop my own instance and not be reliant on asking someone else to extend the hours on an adhoc basis, as I often work odd hours into the night if I am on a roll with something.

Other than the expense of a 24/7 use case, is there a more cost effective capability that I can point the gatekeeper too, that would allow this sort of flexibility?

At the moment, I'm pretty naive on the AWS front.. I just use the VMs I've been given to use.

BTW: I think there are issues about having them in certain domains - so I can't just have my own individual account.

Thanks in advance for your advice.

Answer 1

I think there are issues about having them in certain domains - so I can't just have my own individual account.

This is what AWS Organizations is for: you have your own account, but it's tied to the corporate account and can be granted access to perform certain functions.

You don't describe what you're creating these instances for, but I'm going to assume that it's development testing. In that case, you would work entirely within your own sandbox, and be unable to affect the mission-critical resources. If there's a need for explicit domain naming, they can delegate authority for a sub-domain, and if necessary use CNAMEs link hosts in that sub-domain to the parent domain.

If you need to do production support work, such as bringing up a new production machine, they can create a role that grants you permission to do so -- probably one that allows you to start machines but not stop them.

At the moment, I'm pretty naive on the AWS front

Unfortunately, it sounds like they are as well. I think the best thing you can do is point them at the Organizations doc.