AWS Cloud9 is no longer available to new customers. Existing customers of AWS Cloud9 can continue to use the service as normal. [Learn more](https://aws.amazon.com/blogs/devops/how-to-migrate-from-aws-cloud9-to-aws-ide-toolkits-or-aws-cloudshell/)
# Additional setup options for AWS Cloud9
This topic assumes you already completed the setup steps in [Team Setup](setup.md) or [Enterprise Setup](setup-enterprise.md).
In [Team Setup](setup.md) or [Enterprise Setup](setup-enterprise.md), you created groups and added AWS Cloud9 access permissions directly to those groups. This is to ensure that users in those groups can access AWS Cloud9. In this topic, you add more access permissions to restrict the kinds of environments that users in those groups can create. This can help control costs related to AWS Cloud9 in AWS accounts and organizations.
To add these access permissions, you create your own set of policies that define the AWS access permissions you want to enforce. We call each of these a *customer managed policy*. Then, you attach those customer managed policies to the groups that the users belong to. In some scenarios, you must also detach existing AWS managed policies that are already attached to those groups. To set this up, follow the procedures in this topic.
**Note**
The following procedures cover attaching and detaching policies for AWS Cloud9 users only. These procedures assume you already have a separate AWS Cloud9 users group and AWS Cloud9 administrators group. They also assume that you have only a limited number of users in the AWS Cloud9 administrators group. This AWS security best practice can help you better control, track, and troubleshoot issues with AWS resource access.
## Step 1: Create a customer managed policy
You can create a customer managed policy using the [AWS Management Console](#setup-teams-create-policy-console) or the [AWS Command Line Interface (AWS CLI)](#setup-teams-create-policy-cli).
**Note**
This step covers creating a customer managed policy for IAM groups only. To create a custom permission set for groups in AWS IAM Identity Center, skip this step and follow the instructions in [Create Permission Set](https://docs.aws.amazon.com/singlesignon/latest/userguide/permissionsets.html#howtocreatepermissionset) in the *AWS IAM Identity Center User Guide*. In this topic, follow the instructions to create a custom permission set. For related custom permissions policies, see [Customer managed policy examples for teams using AWS Cloud9](setup-teams-policy-examples.md) later in this topic.
### Step 1.1: Create a customer managed policy using the console
1. Sign in to the AWS Management Console, if you aren't already signed in.
We recommend you sign in using credentials for an administrator user in your AWS account. If you can't do this, check with your AWS account administrator.
1. Open the IAM console. To do this, in the console's navigation bar, choose **Services**. Then choose **IAM**.
1. In the service's navigation pane, choose **Policies**.
1. Choose **Create policy**.
1. In the **JSON** tab, paste one of our suggested [customer managed policy examples](setup-teams-policy-examples.md).
**Note**
You can also create your own customer managed policies. For more information, see the [IAM JSON Policy Reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html) in the *IAM User Guide* and the AWS service's [documentation](https://aws.amazon.com/documentation/).
1. Choose **Review policy**.
1. On the **Review policy** page, type a **Name** and an optional **Description** for the policy, and then choose **Create policy**.
Repeat this step for each additional customer managed policy that you want to create. Then, skip ahead to [Add customer managed policies to a group using the console](#setup-teams-add-policy-console).
### Step 1.2: Create a customer managed policy using the AWS CLI
1. On the computer where you run the AWS CLI, create a file to describe the policy (for example, `policy.json`).
If you create the file with a different file name, substitute it throughout this procedure.
1. Paste one of our suggested [customer managed policy examples](setup-teams-policy-examples.md) into the `policy.json` file.
**Note**
You can also create your own customer managed policies. For more information, see the [IAM JSON Policy Reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html) in the *IAM User Guide* and the AWS services' [documentation](https://aws.amazon.com/documentation/).
1. From the terminal or command prompt, switch to the directory that contains the `policy.json` file.
1. Run the IAM `create-policy` command, specifying a name for the policy and the `policy.json` file.
```
aws iam create-policy --policy-document file://policy.json --policy-name MyPolicy
```
In the preceding command, replace `MyPolicy` with a name for the policy.
Skip ahead to [Add customer managed Policies to a Group Using the AWS CLI](#setup-teams-add-policy-cli).
## Step 2: Add customer managed policies to a group
You can add customer managed policies to a group by using the [AWS Management Console](#setup-teams-add-policy-console) or the [AWS Command Line Interface (AWS CLI)](#setup-teams-add-policy-cli). For more information, see [Customer managed policy examples for teams using AWS Cloud9](setup-teams-policy-examples.md).
**Note**
This step covers adding customer managed policies to IAM groups only. To add custom permission sets to groups in AWS IAM Identity Center, skip this step and follow the instructions in [Assign User Access](https://docs.aws.amazon.com/singlesignon/latest/userguide/useraccess.html#assignusers) in the *AWS IAM Identity Center User Guide* instead.
### Step 2.1: Add customer managed policies to a group using the console
1. With the IAM console open from the previous procedure, in the service's navigation pane, choose **Groups**.
1. Choose the group's name.
1. On the **Permissions** tab, for **Managed Policies**, choose **Attach Policy**.
1. In the list of policy names, choose the box next to each customer managed policy that you want to attach to the group. If you don't see a specific policy name in the list, enter the policy name in the **Filter** box to display it.
1. Choose **Attach Policy**.
### Step 2.2: Add customer managed policies to a group using the AWS CLI
**Note**
If you're using [AWS managed temporary credentials](security-iam.md#auth-and-access-control-temporary-managed-credentials), you can't use a terminal session in the AWS Cloud9 IDE to run some or all of the commands in this section. To address AWS security best practices, AWS managed temporary credentials don’t allow some commands to be run. Instead, you can run those commands from a separate installation of the AWS Command Line Interface (AWS CLI).
Run the IAM `attach-group-policy` command, specifying the group's name and the Amazon Resource Name (ARN) of the policy.
```
aws iam attach-group-policy --group-name MyGroup --policy-arn arn:aws:iam::123456789012:policy/MyPolicy
```
In the preceding command, replace `MyGroup` with the name of the group. Replace `123456789012` with the AWS account ID. And replace `MyPolicy` with the name of the customer managed policy.
## Next steps
****
| **Task** | **See this topic** |
| --- | --- |
| Create an AWS Cloud9 development environment, and then use the AWS Cloud9 IDE to work with code in your new environment. | [Creating an environment](create-environment.md) |
| Learn how to use the AWS Cloud9 IDE. | [Getting started: basic tutorials](tutorials-basic.md) and [Working with the IDE](ide.md) |
| Invite others to use your new environment along with you in real time and with text chat support. | [Working with Shared Environments](share-environment.md) |
# Customer managed policy examples for teams using AWS Cloud9
The following are some examples of policies that you can use to restrict the environments that users in a group can create in an AWS account.
+ [Prevent users in a group from creating environments](#setup-teams-policy-examples-prevent-environments)
+ [Prevent users in a group from creating EC2 environments](#setup-teams-policy-examples-prevent-ec2-environments)
+ [Allow users in a group to create EC2 environments only with specific Amazon EC2 instance types](#setup-teams-policy-examples-specific-instance-types)
+ [Allow users in a group to create only a single EC2 environment per AWS Region](#setup-teams-policy-examples-single-ec2-environment)
## Prevent users in a group from creating environments
The following customer managed policy, when attached to an AWS Cloud9 users group, prevents those users from creating environments in an AWS account. This is useful if you want an administrator user in your AWS account to manage creating environments. Otherwise, users in an AWS Cloud9 users group do this.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"cloud9:CreateEnvironmentEC2",
"cloud9:CreateEnvironmentSSH"
],
"Resource": "*"
}
]
}
```
------
The preceding customer managed policy explicitly overrides `"Effect": "Allow"` for `"Action": "cloud9:CreateEnvironmentEC2"` and `"cloud9:CreateEnvironmentSSH"` on `"Resource": "*"` in the `AWSCloud9User` managed policy that's already attached to the AWS Cloud9 users group.
## Prevent users in a group from creating EC2 environments
The following customer managed policy, when attached to an AWS Cloud9 users group, prevents those users from creating EC2 environments in an AWS account. This is useful if you want an administrator user in your AWS account to manage creating EC2 environments. Otherwise, users in an AWS Cloud9 users group do this. This assumes you didn't also attach a policy that prevents users in that group from creating SSH environments. Otherwise, those users can't create environments.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "cloud9:CreateEnvironmentEC2",
"Resource": "*"
}
]
}
```
------
The preceding customer managed policy explicitly overrides `"Effect": "Allow"` for `"Action": "cloud9:CreateEnvironmentEC2"` on `"Resource": "*"` in the `AWSCloud9User` managed policy that's already attached to the AWS Cloud9 users group.
## Allow users in a group to create EC2 environments only with specific Amazon EC2 instance types
The following customer managed policy, when attached to an AWS Cloud9 users group, allows users in the user group to create EC2 environments that only use instance types starting with `t2` in an AWS account. This policy assumes you didn't also attach a policy that prevents users in that group from creating EC2 environments. Otherwise, those users can't create EC2 environments.
You can replace `"t2.*"` in the following policy with a different instance class (for example, `"m4.*"`). Or, you can restrict it to multiple instance classes or instance types (for example, `[ "t2.*", "m4.*" ]` or `[ "t2.micro", "m4.large" ]`).
For an AWS Cloud9 users group, detach the `AWSCloud9User` managed policy from the group. Then, add the following customer managed policy in its place. If you don't detach the `AWSCloud9User` managed policy, the following customer managed policy will have no effect.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloud9:CreateEnvironmentSSH",
"cloud9:GetUserPublicKey",
"cloud9:UpdateUserSettings",
"cloud9:GetUserSettings",
"iam:GetUser",
"iam:ListUsers",
"ec2:DescribeVpcs",
"ec2:DescribeSubnets"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "cloud9:CreateEnvironmentEC2",
"Resource": "*",
"Condition": {
"StringLike": {
"cloud9:InstanceType": "t2.*"
}
}
},
{
"Effect": "Allow",
"Action": [
"cloud9:DescribeEnvironmentMemberships"
],
"Resource": [
"*"
],
"Condition": {
"Null": {
"cloud9:UserArn": "true",
"cloud9:EnvironmentId": "true"
}
}
},
{
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole"
],
"Resource": "*",
"Condition": {
"StringLike": {
"iam:AWSServiceName": "cloud9.amazonaws.com"
}
}
}
]
}
```
------
The preceding customer managed policy also allows those users to create SSH environments. To prevent those users from creating SSH environments altogether, remove `"cloud9:CreateEnvironmentSSH",` from the preceding customer managed policy.
## Allow users in a group to create only a single EC2 environment in each AWS Region
The following customer managed policy, when attached to an AWS Cloud9 users group, allows each of those users to create a maximum of one EC2 environment in each AWS Region that AWS Cloud9 is available in. This is done by restricting the name of the environment to one specific name in that AWS Region. In this example, the environment is restricted to `my-demo-environment`.
**Note**
AWS Cloud9 doesn't enable restricting environments to specific AWS Regions from being created. AWS Cloud9 also doesn't enable restricting the overall number of environments that can be created. The only exception is published [service limits](limits.md).
For an AWS Cloud9 users group, detach the `AWSCloud9User` managed policy from the group, and then add the following customer managed policy in its place. If you don't detach the `AWSCloud9User` managed policy, the following customer managed policy has no effect.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloud9:CreateEnvironmentSSH",
"cloud9:GetUserPublicKey",
"cloud9:UpdateUserSettings",
"cloud9:GetUserSettings",
"iam:GetUser",
"iam:ListUsers",
"ec2:DescribeVpcs",
"ec2:DescribeSubnets"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"cloud9:CreateEnvironmentEC2"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"cloud9:EnvironmentName": "my-demo-environment"
}
}
},
{
"Effect": "Allow",
"Action": [
"cloud9:DescribeEnvironmentMemberships"
],
"Resource": [
"*"
],
"Condition": {
"Null": {
"cloud9:UserArn": "true",
"cloud9:EnvironmentId": "true"
}
}
},
{
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole"
],
"Resource": "*",
"Condition": {
"StringLike": {
"iam:AWSServiceName": "cloud9.amazonaws.com"
}
}
}
]
}
```
------
The preceding customer managed policy allows those users to create SSH environments. To prevent those users from creating SSH environments altogether, remove `"cloud9:CreateEnvironmentSSH",` from the preceding customer managed policy.
For more examples, see [Customer managed policy examples](security-iam.md#auth-and-access-control-customer-policies-examples).