Skip to content

AWS

The Bridge School uses AWS (Amazon Web Services) for various services. Those services are detailed more in the sections of the wiki where they directly apply. This page is just a basic overview of the AWS setup.

Accounts

AWS access is managed through the IAM (Identity Access Management) service. We have two primary types of accounts that we utilize in AWS:

Root Account

The root account is the main account to which the AWS account is registered. The root user for the Bridge School AWS account is registered to web@bridgeschool.org. You can log in to the AWS console at aws.amazon.com. Password for the account can be found in the Bridge School KeePass file.

Note

The root account is a super-user and should only be used to set up new users and new permissions. Ideally, all other work in AWS should be done with an appropriately-permissioned user account.

User Accounts

User accounts should be created for most interactions with AWS. User accounts can be created for various purposes:

  • Developer users: Users for individual developers/admins for the Bridge School AWS.
  • Application users: Application users. For example, a wordpress user could be created and granted all the permissions necessary for Wordpress to interact with the AWS services it needs.

Console access

User accounts can optionally be granted access to the AWS console (web-based admin tool). If a user is granted console access, they can login to the console with their specific AWS user credentials at the Bridge School console login page:

https://bridgeschool.signin.aws.amazon.com/console

API access

Along with console access, user accounts can optionally be granted CLI access. CLI access allows the user to interact with any AWS resources they have permission to via the AWS Command Line Interface. In order to execute commands through the CLI, you will need to supply your ACCESS KEY ID and your SECRET ACCESS KEY. This is different than your username and password for console access. Access keys cannot be recovered. If you don't have or have lost your access keys, the old ones should be retired and you should have new keys created (for example, using the AWS root user).

Permissions

Permissions in AWS are handled via policies, groups and roles:

  • Policies: Policies are granular permission sets that grant the specified permissions to whatever user, group or role they are applied to.
  • Groups: Multiple policies can be added to a group (e.g. developers). Users can then be added to that group to inherit all the policies.
  • Roles: Roles are the same as groups except that rather than adding users to a group, you add AWS resources to a role. (e.g. you could add a policy for S3 access to a role, then apply that role to an AWS server that needs to be able to access S3).