# Securing your cloud accounts

{% hint style="danger" %}
Cloud account usage can lead to abuse without the appropriate security policies in place. Always be sure to implement the appropriate policies and restrictions before exposing tracks with cloud accounts to the public.
{% endhint %}

{% hint style="warning" %}
Costs associated with cloud accounts are in addition to your standard Instruqt billing. Therefore, you should take extra precautions when allowing users to access tracks that have cloud accounts.&#x20;
{% endhint %}

## Services and Regions

Service and region restriction restrictions can be put in place [globally ](/sandboxes/manage/cloud-services-and-regions.md)or at a track level. In this section we focus on enabling at the track level. If you would like more information on global configuration, read the [cloud services and regions](/sandboxes/manage/cloud-services-and-regions.md) section under global sandbox settings.

<figure><img src="/files/Jw3KLieTJn8BZQDtLWeh" alt=""><figcaption></figcaption></figure>

Providing full access to cloud services/accounts is never recommended. Policy of least possible permissions should be in place according to the requirements of the track. For example, an AWS managed policy with role AmazonEC2FullAccess should only be used for admin [managed policies](/sandboxes/cloud-accounts/aws-accounts/aws-managed-policies.md) and not for user managed policies. Similarly, user [IAM Policies](/sandboxes/cloud-accounts/aws-accounts/aws-iam-policies.md) should not provide unnecessary access.

{% hint style="info" %}
For setting up the cloud account in lifecycle scripts, it is recommended to use an admin user with elevated privileges. This ensures the ability to perform operations requiring higher privileges than those assigned to the end user.

Note: Admin credentials are injected exclusively into lifecycle scripts, unlike end user credentials which are exposed as environment variables on virtual machines and containers.
{% endhint %}

{% hint style="info" %}
Instruqt recommends following best practices for account security that are provided by the cloud provider of choice. There is no way of providing a one size fits all policy that will work for all tracks. If you are questioning what policy you should have in place please reach out to your cloud subject matter expert.
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.instruqt.com/sandboxes/cloud-accounts/securing-your-cloud-accounts.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.