Securing your cloud accounts

Cloud account usage can lead to abuse without the appropriate security policies in place. Always be sure to implement the appropriate policies and restrictions before exposing tracks with cloud accounts to the public.

Costs associated with cloud accounts are in addition to your standard Instruqt billing. Therefore, you should take extra precautions when allowing users to access tracks that have cloud accounts.

Services and Regions

Service and region restriction restrictions can be put in place globally or at a track level. In this section we focus on enabling at the track level. If you would like more information on global configuration, read the cloud services and regions section under global sandbox settings.

Providing full access to cloud services/accounts is never recommended. Policy of least possible permissions should be in place according to the requirements of the track. For example, an AWS managed policy with role AmazonEC2FullAccess should only be used for admin managed policies and not for user managed policies. Similarly, user IAM Policies should not provide unnecessary access.

For setting up the cloud account in lifecycle scripts, it is recommended to use an admin user with elevated privileges. This ensures the ability to perform operations requiring higher privileges than those assigned to the end user.

Note: Admin credentials are injected exclusively into lifecycle scripts, unlike end user credentials which are exposed as environment variables on virtual machines and containers.

Instruqt recommends following best practices for account security that are provided by the cloud provider of choice. There is no way of providing a one size fits all policy that will work for all tracks. If you are questioning what policy you should have in place please reach out to your cloud subject matter expert.

PreviousCloud accounts NextCloud Client

Last updated 2 months ago

Was this helpful?