-
Type: Task
-
Resolution: Done
-
Priority: Major - P3
-
Affects Version/s: None
-
Component/s: Cloud Manager
-
Labels:None
Recently in a ticket a customer asked for additional information on why we require the specific IAM permissions we do. This is a ticket to request we provide this in a public facing document to greater explain the need for these settings.
Here's a complete list with annotation:
"ec2:AttachVolume", | so we can add an EBS volume to the provisioned server |
"ec2:AuthorizeSecurityGroupIngress", | so we can manage security groups required by Cloud Manager |
"ec2:CreateKeyPair", | So when you upload a new keypair via our app |
"ec2:CreateSecurityGroup", | to create security groups for our distribution |
"ec2:CreateTags", | so we can tag the ec2 instances |
"ec2:CreateVolume", | so we can create the ebs volumes |
"ec2:DeleteKeyPair", | so we can remove any keys created for our cloud manager tool |
"ec2:DeleteSecurityGroup", | so we can remove any security groups created by our tool |
"ec2:DeleteTags", | so we can delete any tags when terminating |
"ec2:DeleteVolume", | so we can delete any volumes when terminating |
"ec2:DescribeAccountAttributes", | so we can list account details in our tool |
"ec2:DescribeAvailabilityZones", | so we can list AZ details in our tool |
"ec2:DescribeInstanceAttribute", | so we can list instance attribute details in our tool |
"ec2:DescribeInstanceStatus", | so we can list status on the instance our tool |
"ec2:DescribeInstances", | so we can see available instances for use with our tool |
"ec2:DescribeKeyPairs", | so we can see available keypairs to be injected into ec2's |
"ec2:DescribeRegions", | so we can see regions available for use |
"ec2:DescribeSecurityGroups", | so we can list security groups to set for your distribution |
"ec2:DescribeSubnets", | so we can list subnets to set for your distribution |
"ec2:DescribeTags", | so we can list tags for instances associated with cloud manager |
"ec2:DescribeVpcs", | so we can review available VPCs to build the distribution in |
"ec2:DescribeVpcAttribute", | so we can see attributes of VPCs when adding information to the cloud manager web tool |
"ec2:DescribeVolumeStatus", | so the tool can validate the readiness of an attach or a detach |
"ec2:DescribeVolumes", | so the tool can see and ensure we have the correct volumes for your mongo server |
"ec2:DescribeVolumeAttribute", | so the tool can describe information on the EBS volume used |
"ec2:ImportKeyPair", | so when we are provided with an SSH key we can inject it for you to use |
"ec2:RunInstances", | so we can run the instance |
"ec2:StartInstances", | so we can start the server |
"ec2:StopInstances", | so we can stop the server |
"ec2:RebootInstances", | so we can reboot the server |
"ec2:TerminateInstances" | so we can terminate the server from cloud manager |
I believe we should also state that to reduce the needs of the resource to a single VPC the details from Amazon should be sufficient:
https://aws.amazon.com/premiumsupport/knowledge-center/iam-policy-restrict-vpc/
Thank you!
- links to