# AWS accounts
{% hint style="danger" %}
Cloud account usage can lead to abuse without the appropriate security policies in place. Always be sure to implement the appropriate policies and restrictions before exposing tracks with cloud accounts to the public.
{% endhint %}
{% hint style="warning" %}
Costs associated with cloud accounts are in addition to your standard Instruqt billing. Therefore, you should take extra precautions when allowing users to access tracks that have cloud accounts.
{% endhint %}
This guide explains how to access an **Amazon Web Services (AWS)** account from Instruqt.
> An AWS account is a container for your AWS resources. You create and manage your AWS resources in an AWS account, and the AWS account provides administrative capabilities for access and billing.
>
> — [AWS documentation](https://aws.amazon.com/organizations/faqs/)
## Before you begin
You must have already built a track to which you can add access to an AWS account.
{% hint style="danger" %}
**Service Limits**\
AWS accounts have built in service limits. If you plan to deploy complex network infrastructure check to make sure you do not exceed the [EC2 service quota defaults](https://docs.aws.amazon.com/general/latest/gr/ec2-service.html).
{% endhint %}
## Access AWS accounts
It is best to add the Instruqt Cloud Client container to your track to give a learner access to an AWS account. Because the Instruqt Cloud Client container:
* Exposes links to the AWS Console for the resources configured in the `config.yml` file, with the credentials required to log in.
* Includes the `aws` CLI, pre-configured with the required credentials.
The AWS Console and the `aws` CLI make it easy for content developers and learners to access AWS resources from the sandbox.
It takes the following steps to give learners access to an AWS account:
1. Add an Instruqt Cloud Client container to your track.
2. Add an AWS account to your track.
3. Add tabs to your challenges where you want to expose the AWS console or `aws` CLI.
Additionally, you can use:
* A set of environment variables that are available in the `aws` CLI.
* IAM policies and permissions.
{% hint style="info" %}
**Use the `AWS Cloud Account` template**
Instead of building the track yourself, you can [create a track with the AWS Cloud Template](broken://pages/LHNlh98cWYBTdcZwKglp). The template includes:
* The Instruqt Cloud Client container
* A pre-defined AWS account
* A challenge with tabs for AWS console and `aws` CLI
{% endhint %}
### Step 1: Add an Instruqt Cloud Client container to your track
More information can be found in the [cloud client](/sandboxes/cloud-accounts/cloud-client.md) section.
### Step 2: Add an AWS account to your track
{% tabs %}
{% tab title="🌐 Web UI" %}
1. Click **+ Add a cloud account** on the *Sandbox* page.\
↳ The *Add cloud account* pop-up opens.
2. Select the **Amazon** provider.
3. In the **Name** field, enter `awsaccount`.
4. In the **Services** field, select the services that are going to be enabled.
5. In the **Regions** field, select the regions that are going to be enabled.
6. In the **User IAM Policy** field, enter an IAM policy in JSON format. For example to allow EC2 read-only access:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid":"EC2AllowDescribe",
"Effect": "Allow",
"Action": "ec2:Describe*",
"Resource": "*"
}
]
}
7. In the **Admin** **IAM Policy** field, enter an IAM policy in JSON format. For example to allow EC2 access:
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid":"EC2DefaultAllow",
"Effect": "Allow",
"Action": "ec2:*",
"Resource": "*"
}
]
}
```
8. In the **SCP Policy** field, enter an SCP policy in JSON format. This example limits the allowed instance types:
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "LimitInstanceTypeRun",
"Action": [
"ec2:RunInstances"
],
"Effect": "Deny",
"Resource": "arn:aws:ec2:*:*:instance/*",
"Condition": {
"StringNotEqualsIfExists": {
"ec2:InstanceType": [
"t2.micro"
]
}
}
},
{
"Sid": "LimitInstanceTypeModify",
"Action": [
"ec2:ModifyInstanceAttribute"
],
"Effect": "Deny",
"Resource": "arn:aws:ec2:*:*:instance/*",
"Condition": {
"ForAnyValue:StringNotEquals": {
"ec2:Attribute/InstanceType": [
"t2.micro"
]
}
}
}
]
}
```
9. Click **Save** to add the AWS account.\
↳ On the *Sandbox* page, you will see the new AWS account.
10. Click **Back to track** to return to the *Track dashboard* page.
{% endtab %}
{% tab title="💻 Instruqt CLI" %}
1. Copy and paste the following code into `config.yml`:
```yaml
aws_accounts:
- name: awsaccount
services: []
regions: []
managed_policies: []
```
↳ Your `config.yml` file should be similar to this now:
```yaml
version: "3"
containers:
- name: cloud-client
image: gcr.io/instruqt/cloud-client
ports: [80]
shell: /bin/bash
memory: 256
aws_accounts:
- name: awsaccount
services: []
regions: []
managed_policies: []
```
{% endtab %}
{% endtabs %}
{% hint style="warning" %}
Only enabled **services** and **regions** configured by the team administrator can be selected and/or specified. See more details in [Cloud services and regions](/sandboxes/manage/cloud-services-and-regions.md)
{% endhint %}
{% hint style="info" %}
When specifying Admin Roles, an additional admin user and API Key will be created with the designated roles.
For setting up the cloud account in lifecycle scripts, it is recommended to use an admin user with elevated privileges. This ensures the ability to perform operations requiring higher privileges than those assigned to the end user.
Note: Admin credentials are injected exclusively into lifecycle scripts, unlike end user credentials which are exposed as environment variables on virtual machines and containers.
{% endhint %}
### Step 3: Add tabs to expose the AWS console and `aws` CLI
{% tabs %}
{% tab title="🌐 Web UI" %}
1. In the **Challenges** section of the *Track dashboard*, click **Add new**, and select **Assignment**.
2. Input these values:
| Field | Value |
|---|
| Tab name | AWS account |
| URL | aws-ec2 |
| Description | Learn to work with an AWS account |
3. Click **Save.**
4. Click **Tabs** followed by **Add new tab**.
5. Select the **Your applications** tab type.
6. Enter/select these values to set the AWS console:
| Field | Value |
|---|
| Tab name | AWS console |
| Select your host | cloud-client |
| Path | / |
| Port | 80 |
7. Click **Save** to add the tab.
8. Click **Add new tab** again.
9. Select the **Terminal** tab type.
10. Enter/select these values to set the `aws` CLI:
| Field | Value |
|---|
| Tab name | aws CLI |
| Host | cloud-client |
11. Click **Save** to add the tab.
12. Click **Back to track**.
13. Click **Play track** and test your AWS account track.
{% endtab %}
{% tab title="💻 Instruqt CLI" %}
1. Open a terminal and move to your track directory.
2. Enter the following command to create a new challenge:
```md
instruqt challenge create --title "AWSaccount"
```
↳ Instruqt CLI created a directory for the challenge. And an `assignment.md` file inside the challenge directory.
3. Open the `assignment.md` file in your code editor.
4. Copy and paste the following code into `assignment.md` to set the AWS console and `aws` CLI:
```md
---
slug: aws-ec2
type: challenge
title: AWS account
teaser: Learn to work with an AWS account
tabs:
- title: AWS Console
type: service
hostname: cloud-client
path: /
port: 80
- title: aws CLI
type: terminal
hostname: cloud-client
difficulty: basic
timelimit: 600
---
```
⇨ You can add the assignment text of your liking in Markdown after line 17.
5. Save file `assignment.md`.
6. Push the track to the Instruqt platform:
```xml
instruqt track push
```
7. Play and test the track:
```xml
instruqt track open
```
↳ Your browser opens, showing the Track overview page.\
Click **Start track** to play the track.
{% endtab %}
{% endtabs %}
## Environment variables
Adding an AWS account to your track also sets a list of [AWS environment variables](/sandboxes/cloud-accounts/aws-accounts/aws-environment-variables.md) that you can use in commands and scripts. This provides the ability to access and deploy resources within the AWS account during track setup or during learner interaction with the CLI.
## Setting policies and permissions
AWS accounts have the following settings to configure policies and permissions:
* [Managed policies](/sandboxes/cloud-accounts/aws-accounts/aws-managed-policies.md)
* [**Identity And Access (IAM)**](/sandboxes/cloud-accounts/aws-accounts/aws-iam-policies.md) policies
* [**Service control policies (SCP)** ](/sandboxes/cloud-accounts/aws-accounts/aws-scp-policies.md)policies
{% hint style="success" %}
Awesome! Your learners can now access AWS accounts. But there is more. You can also give them access to:
* [GCP projects](/sandboxes/cloud-accounts/gcp-projects.md)
* [Azure subscriptions](/sandboxes/cloud-accounts/azure-subscriptions.md)
{% endhint %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.instruqt.com/sandboxes/cloud-accounts/aws-accounts.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.