Skip to content

Add AWS dev account setup guidelines#72

Open
amalbet wants to merge 5 commits into
mainfrom
docs/aws-dev-account-setup
Open

Add AWS dev account setup guidelines#72
amalbet wants to merge 5 commits into
mainfrom
docs/aws-dev-account-setup

Conversation

@amalbet

@amalbet amalbet commented Apr 16, 2026

Copy link
Copy Markdown

Summary

Guidelines for the IT admin to provision a dedicated AWS dev account for OpenEMS + MBE work. The dev account provides hard isolation from production and enables safe, scoped access for Claude Code agent sessions without risk to prod.

What it covers

  • Rationale for separating dev from prod (blast radius)
  • AWS Organizations + OU structure
  • Day-one services to enable (CloudTrail, GuardDuty, Budgets)
  • Region lock to us-east-1
  • IAM strategy: SSO for humans, scoped IAM users for automation
  • 4 Service Control Policies (copy-paste-ready JSON):
    • Region lock
    • Deny expensive instance types (no metal, GPU, high-memory)
    • Require Environment tag on EC2/RDS
    • Protect CloudTrail from being disabled
  • Claude Code agent IAM policy with rationale for each permission
  • Cost expectations (~$150/mo) + budget alert thresholds
  • Provisioning checklist Aidan can work through
  • Open questions for alignment

Related

Test plan

  • Doc renders on GitHub (tables, code blocks, JSON)
  • Aidan reviews and answers the 5 open questions at the bottom
  • Provisioning checklist executed, dev account ready for terraform apply

🤖 Generated with Claude Code

Guidelines for the IT admin to provision a dedicated dev AWS account
isolated from production, with safe scoping for Claude Code agent
sessions. Covers account structure, IAM strategy, Service Control
Policies, cost controls, and a provisioning checklist.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Alejandro Malbet <amalbet@gmail.com>
amalbet added a commit that referenced this pull request Apr 16, 2026
Split out to #72 so each doc can be reviewed independently.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Alejandro Malbet <amalbet@gmail.com>
Still reviewing as part of implementation - see edits for changes and comments

Signed-off-by: Aidan Barnes <66229298+aidan-barnes-axm@users.noreply.github.com>
Signed-off-by: Aidan Barnes <66229298+aidan-barnes-axm@users.noreply.github.com>
added missing perm that was throwing error on terraform destroy

Signed-off-by: Aidan Barnes <66229298+aidan-barnes-axm@users.noreply.github.com>
Signed-off-by: Aidan Barnes <66229298+aidan-barnes-axm@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants