Uploaded image for project: 'Documentation'
  1. Documentation
  2. DOCS-7555

Document on IAM requirements for Cloud Manager Provisioning

XMLWordPrintableJSON

    • Type: Icon: Task Task
    • Resolution: Done
    • Priority: Icon: Major - P3 Major - P3
    • 01112017-cleanup
    • Affects Version/s: None
    • Component/s: Cloud Manager
    • Labels:
      None

      Recently in a ticket a customer asked for additional information on why we require the specific IAM permissions we do. This is a ticket to request we provide this in a public facing document to greater explain the need for these settings.

      Here's a complete list with annotation:

      "ec2:AttachVolume", so we can add an EBS volume to the provisioned server
      "ec2:AuthorizeSecurityGroupIngress", so we can manage security groups required by Cloud Manager
      "ec2:CreateKeyPair", So when you upload a new keypair via our app
      "ec2:CreateSecurityGroup", to create security groups for our distribution
      "ec2:CreateTags", so we can tag the ec2 instances
      "ec2:CreateVolume", so we can create the ebs volumes
      "ec2:DeleteKeyPair", so we can remove any keys created for our cloud manager tool
      "ec2:DeleteSecurityGroup", so we can remove any security groups created by our tool
      "ec2:DeleteTags", so we can delete any tags when terminating
      "ec2:DeleteVolume", so we can delete any volumes when terminating
      "ec2:DescribeAccountAttributes", so we can list account details in our tool
      "ec2:DescribeAvailabilityZones", so we can list AZ details in our tool
      "ec2:DescribeInstanceAttribute", so we can list instance attribute details in our tool
      "ec2:DescribeInstanceStatus", so we can list status on the instance our tool
      "ec2:DescribeInstances", so we can see available instances for use with our tool
      "ec2:DescribeKeyPairs", so we can see available keypairs to be injected into ec2's
      "ec2:DescribeRegions", so we can see regions available for use
      "ec2:DescribeSecurityGroups", so we can list security groups to set for your distribution
      "ec2:DescribeSubnets", so we can list subnets to set for your distribution
      "ec2:DescribeTags", so we can list tags for instances associated with cloud manager
      "ec2:DescribeVpcs", so we can review available VPCs to build the distribution in
      "ec2:DescribeVpcAttribute", so we can see attributes of VPCs when adding information to the cloud manager web tool
      "ec2:DescribeVolumeStatus", so the tool can validate the readiness of an attach or a detach
      "ec2:DescribeVolumes", so the tool can see and ensure we have the correct volumes for your mongo server
      "ec2:DescribeVolumeAttribute", so the tool can describe information on the EBS volume used
      "ec2:ImportKeyPair", so when we are provided with an SSH key we can inject it for you to use
      "ec2:RunInstances", so we can run the instance
      "ec2:StartInstances", so we can start the server
      "ec2:StopInstances", so we can stop the server
      "ec2:RebootInstances", so we can reboot the server
      "ec2:TerminateInstances" so we can terminate the server from cloud manager

      I believe we should also state that to reduce the needs of the resource to a single VPC the details from Amazon should be sufficient:

      https://aws.amazon.com/premiumsupport/knowledge-center/iam-policy-restrict-vpc/

      Thank you!

            Assignee:
            bgrabar Bob Grabar
            Reporter:
            jay.gordon Jay Gordon
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved:
              8 years, 4 weeks, 4 days ago