AWS IAM User Access for Developer

Question

I want to give access to my developer to my MongoDB which is hosted by an EC2 Instance on AWS.

He should be able to make mongodump, upload the new backend and do some changes on our control Panel.

I created an IAM User with EC2FullAccess Permissions - I have seen that he was able to add his own IP to the Security Group so he could connect.

I don't feel so comfortable with that - what should I do, to secure myself that he has just enough access to do the necessary work:

• Upload new code to server
• Do MongoDB dump

I don't want him to be able to switch off/delete my instance or be able to delete my database at all.

Answer 1

IAM roles are for the purpose of accessing a service on behalf of another. Say, you want to access AWS DynamoDB or S3 from EC2 instance. In this case, an IAM role with required permissions attached to EC2 will server the purpose.

IAM User is for users who need access to AWS services either through Console or through API (programmatic). AWS credentials are required to access the service.

In your case, MongoDB is installed on EC2 and your developer needs access to "the server on which MongoDB is installed" and is not required any access of "AWS EC2 Service". As correctly pointed out in answer by @X-Men, IAM role or IAM user is not at all required. What required is, your developer to have the IP of server and credentials to login to that server. Username-password or username-key.

Restriction which you need on developer related to MongoDB are to be configured on MongoDB itself and not on EC2 level.

Answer 2

Looking at your use case, you do not need to give any EC2 permissions, your developer does not even need IAM user, he can simply have the IP of the instance and the login credentials to the EC2 Instance, that should be suffice to log in to the instance and make the required changes. No need for an IAM user or AWS Console access.