AWS Cloud9 concepts illustrated

AWS Cloud9 is an IDE that lets you write, run, and debug your code with just a web browser.
The purpose of this story is to visually show / explain how it works and what is in my opinion the most important Cloud9 concepts to grasp (regarding permissions, networking, …).

Firstly, The big picture 🌔

AWS Cloud9 is a service that is managing a browser-based IDE (hosted on an EC2 instance) in your AWS account.

(You can also install Cloud9 on a remote server using SSH but we won’t discuss this solution here)

AWS Cloud9 starts the EC2 instance when you need to use it and stop it whenever it is idle (though Cloud9 is free, you still have to pay for the EC2 instances).

I can see the EC2 instance of my environment (one Cloud9 environment = one EC2 instance)

The environments 🔍

To use Cloud9 you need to create an environment: 3 options are available

In this story I will focus on the environments in blue because they are running on AWS (they are called EC2 environments).

The IAM entity (an IAM user or role for instance) creating the Cloud9 environment is the “owner” of the environment and its IAM permissions can be made available on the EC2 instance of the environment (thanks to a Cloud9 feature named AWS managed temporary credentials).

Here I have created 2 Cloud9 environments: 1 “direct access” (SSH) and 1 “no-ingress” (Systems Manager)

“Direct Access (SSH) vs “No-ingress” (Systems Manager) 📸

The main difference between the 2 environments is how Cloud9 communicates with the EC2 instance.
With EC2 “no-ingress” the EC2 instance will use a service named AWS Systems Manager. Thanks to this type of environment, the EC2 instance can be created in a private subnet (which is better in terms of security).

AWS Managed temporary credentials: a few notes 📚

• By default both “direct access” and “no-ingress” environments use the AWS Managed temporary credentials.
• You can disable the AWS Managed temporary credentials within the IDE (it will remove the ~/.aws/credentials file used to sign the requests made by CLI or SDK).
• Only the environment owner can enable or disable AWS Managed temporary credentials
• The “no-ingress” environment needs to keep its IAM role attached (so Cloud9 can start the EC2 instance).

Sharing environments 🤝

The owner of an environment can share the access (R or R&W) with IAM users of the AWS account.
The IAM user once invited can access the environment (the managed AWSCloud9EnvironmentMember policy can be attached).

• R (Read only) = The invited IAM user can only read files inside the “ec2-user/environment” directory
• R&W = the invited IAM user gets a terminal access (ec2-user) and can therefore see and use the AWS managed temporary credentials (so be careful). The invited IAM user can also write / remove files.

No matter what the permissions of the IAM users are (R or R&W), they can use the chat to collaborate and that’s what is making Cloud9 a powerful tool to collaborate.

The end

That’s all, I hope you liked this post!
P.S. I might update this post in the future if needed, so don’t hesitate to share your feedback. 😄

References

Cloud9 user guide
https://docs.aws.amazon.com/cloud9/latest/user-guide/welcome.html