Account Basics

Please read this first!!

Please be sure to review, bookmark and follow all the AWS related standards in the Labs Engineering Standards.

Most important! Please note that all infrastructure must be created in the us-east-1 region in AWS. Any infrastructure found outside that region will need to be moved immediately or will be automatically de-provisioned. Thank you!

Organizations

Labs manages a set of AWS accounts using the AWS Organizations service. This allows us to create a structure and better manage dozens of separate accounts.

• All student AWS Product Accounts are located in the Students Organizational Unit (OU).

• Only Engineering Managers can create new AWS Product Accounts.

• Labs projects must never use AWS Accounts not managed by Lambda School Labs.

You can see a list of accounts here. Note, this list is not automatically updated, if you don't see your account, contact your engineering manager! Thanks.

IAM Users

Each member of a student team will have an associated IAM User. This IAM User will be created and managed by the APL for the Product.

• Only APLs have the ability to provision and manage IAM Users

• IAM Users have the permissions required to create AWS Access keys for their own use

IAM Groups

Each account will have a group named Students that all student IAM Users will be assigned to. This group has only specific permissions required for their project, adhering to the Principle of Least Privilege.

Labs Bot

Labs APLs will have access to a Slack Bot that will allow them to manage user accounts for student teams.

Adding Users

Labs Bot can create IAM users. These users should be created following the naming format for IAM Users in the Engineering Standards.

APLs can run /labsbot in Slack to work with the Labs Bot

• Example: jane.doe@lambdaschool.com - Jane Doe