FAQ

AWS Account Access

• How can a developer access the AWS CLI?

How can a developer access the AWS CLI?

The depends upon the landing zone of the account.

Fully managed landing zones

Tenants in fully-managed landing zones, such as MCaaS, may be granted CLI access in certain cases, and need to inquire with the FCS Core team responsible for the landing zone.

Unmanaged landing zones

Tenants in the unmanaged VPCaaS landing zone have the ability to provision IAM roles and users to grant AWS CLI (and/or console) access. Tenants can provison IAM users with CLI-only access to their AWS account, and define permissions for each user. Under this approach, AWS credentials are generated. Tenants are responsible for regularly rotating these, at least every 90 days.

AWS recommends using IAM roles where possible, because it enables the use of temporary credentials. One way to do this within FCS is through using the GEAR approved tool Saml2AWS. This enables users to authenticate with their FCS credentials to obtain temporary credentials for assuming a specific IAM role. These credentials can then be used with the AWS CLI.

Instructions for installing and using Saml2AWS are maintained for AWS Workspaces and the VDI.

AWS publishes Security Best Practices for IAM with additional recommendations for using IAM.