*Disposable Cloud Environment (DCE)TM* provide temporary, limited access to Amazon Web Services (AWS) accounts. Administrators can configure this limited access to expire based on time or budget. When the access expires, DCE destroys all of the resources in the account and returns the account to the account pool.
An account is an AWS account that is available for leasing.
A lease is temporary access to an AWS account. A lease has a budget, an expiration date, and a principal user.
DCE resets a leased child account during any one of the following conditions:
- The time set on the
expiresOnfield is now in the past
- The amount set on the
budgetAmountfield is exceeded
- With a
/leasesAPI call or CLI command
To reset an account, DCE performs the following actions, in order:
- Marks the lease as Inactive
- Marks the account as Not Ready
- Deletes all of the resources in the account.
- Marks the account as Ready
The account status indicates if the account is ready to be leased, leased already, or in the process of being prepared to be leased again.
An account in Ready status is available for leasing. All of the resources in the account have been cleaned and the account is like a brand-new, fresh AWS account with the exception of an IAM role.
An account in Not Ready status is in the process of being reset so that it can be marked as Ready.
An account in Leased status is currently in use. A lease means that the account is “checked out”, much like a library book, a rental car, or a hotel room.
The lease status indicates whether or not a lease is currently in use.
An active lease is currently in use by the principal associated with the lease.
An inactive lease is a lease that has either expired or the usage in the leased account has exceeded the budget on the lease.
Lease Status Reason¶
A lease that is expired has exceeded the time set by the
of the lease.
The API accepts a
expiresOn field during lease creation.
DCE uses a configurable default read from the
DEFAULT_LEASE_LENGTH_IN_DAYS environment variable when the
expiresOn field is not present. If
the configurable default is unset, DCE uses a period of seven (7) days.
A lease that is over budget has exceeded the budget amount set
budgetAmount field of the lease.
Each lease has a configurable budget. DCE periodically monitors the leased child accounts to determine when usage exceeds the budget amount queues the account for reset.
A lease may be destroyed before it expires or exceeds budget through the API or CLI. In this case, the lease status is marked “Inactive” and the reason is “Destroyed”. The account associated with the lease is then reset and the account is returned to the account pool.
A lease with an Active status reason is an active lease.
A lease with the Rollback lease status reason has experienced a failure while DCE was getting the child account ready from the account pool. In the event of a failure, DCE sets the lease status to Inactive and the reason to Rollback and returns the child account to the child pool.
The account pool is the collection of *child accounts* that are available for leasing.
The master account is the AWS account that contains the DCE infrastructure used to manage the child accounts that are in the account pool.
A child account is an AWS account added to the account pool and controlled by the infrastructure in the master account.
DCE requires an IAM role and permissions permissions to assume the role from the master account to control resources in the child account
The principal is the user to whom a child account is leased.
The admin is the user responsible for administering DCE.
The admin role is the role in the master account assumed by DCE to obtain access to all resources in both the master and the child accounts.
The principal role is the IAM role in the child account that the principal assumes in order to access the resources in the account.
A budget is the amount of maximum spending that should be incurred during the lease. If the usage in the account exceeds the budget amount, DCE resets the account.
In DCE, usage refers to the cost of running AWS resources in the accounts.