Roles Reference

Every CE role requires MFA and an ExternalId. None can be assumed by anyone outside of continuous.engineering.

CE-ReadOnly

Read-only across all AWS services. No write, delete, or modify of any kind.


Managed policy	`ReadOnlyAccess`
Session	4 hours
MFA required	Within 8 hours

Used for: initial assessments, audits, architecture reviews, monitoring.

CE-Security

Read access to security-relevant services: CloudTrail, GuardDuty, Config, SecurityHub, IAM (read only).


Managed policies	`SecurityAudit`, `AmazonGuardDutyReadOnlyAccess`, `AWSCloudTrail_ReadOnlyAccess`, `AWSConfigUserAccess`
Session	4 hours
MFA required	Within 8 hours

Used for: security assessments, compliance audits, incident investigation.

CE-SRE

Read everything, restart and scale services, access EC2 instances via SSM. Cannot create or delete infrastructure.


Base	`ReadOnlyAccess`
Additional	Restart EC2/ECS/RDS/ASG, SSM shell on all instances, CloudWatch Logs
Session	4 hours
MFA required	Within 8 hours

Used for: incident response, operational support, performance troubleshooting.

CE-DevOps

Broad infrastructure access. Can create and modify EC2, RDS, ECS, Lambda, VPCs, S3, and most services. Explicitly blocked from creating IAM users, roles, or policies, and from any Organizations actions.


Base	`PowerUserAccess`
Denied	All IAM write, `organizations:*`
Session	4 hours
MFA required	Within 8 hours

Used for: infrastructure builds, deployments, migrations.

CE-Data

Read access to RDS, S3, Athena, and Glue. SSM shell restricted to instances tagged database=true.


Managed policies	`AmazonRDSReadOnlyAccess`, `AmazonS3ReadOnlyAccess`, `AmazonAthenaFullAccess`, `AWSGlueConsoleReadOnlyAccess`
SSM access	Instances tagged `database=true` only
Session	4 hours
MFA required	Within 8 hours

Used for: data engineering, database administration, analytics work. See tagging instructions.

CE-Admin

Full administrative access. Shortest session. Tightest MFA window. Your security team is emailed on every single assumption.


Managed policy	`AdministratorAccess`
Session	2 hours
MFA required	Within 1 hour
Alert	Email to AdminAlertEmail on every assumption

CE engineers escalate to CE-Admin only when the work genuinely requires it. Day-to-day work uses the least-privileged role appropriate for the task.

CE-DenyProd (Managed Policy)

Not a role. A managed policy you attach to any CE role to block access to production resources.

Any resource tagged env-prod=true becomes inaccessible. The deny overrides all allow statements including those from AdministratorAccess.

Attach it to any role:

bash

aws iam attach-role-policy \
  --role-name CE-SRE \
  --policy-arn <CEDenyProdPolicyArn from stack outputs>

Roles Reference ​

CE-ReadOnly ​

CE-Security ​

CE-SRE ​

CE-DevOps ​

CE-Data ​

CE-Admin ​

CE-DenyProd (Managed Policy) ​