Securing your cloud accounts

Services and Regions

Service and region restriction restrictions can be put in place globally or at a track level. In this section we focus on enabling at the track level. If you would like more information on global configuration, read the cloud services and regions section under global sandbox settings.

Providing full access to cloud services/accounts is never recommended. Policy of least possible permissions should be in place according to the requirements of the track. For example, an AWS managed policy with role AmazonEC2FullAccess should only be used for admin managed policies and not for user managed policies. Similarly, user IAM Policies should not provide unnecessary access.

For setting up the cloud account in lifecycle scripts, it is recommended to use an admin user with elevated privileges. This ensures the ability to perform operations requiring higher privileges than those assigned to the end user.

Note: Admin credentials are injected exclusively into lifecycle scripts, unlike end user credentials which are exposed as environment variables on virtual machines and containers.

Instruqt recommends following best practices for account security that are provided by the cloud provider of choice. There is no way of providing a one size fits all policy that will work for all tracks. If you are questioning what policy you should have in place please reach out to your cloud subject matter expert.

Last updated

Was this helpful?