[DOCS-7555] Document on IAM requirements for Cloud Manager Provisioning Created: 01/Apr/16  Updated: 11/Jan/17  Resolved: 07/Apr/16

Status: Closed
Project: Documentation
Component/s: Cloud Manager
Affects Version/s: None
Fix Version/s: 01112017-cleanup

Type: Task Priority: Major - P3
Reporter: Jay Gordon Assignee: Bob Grabar
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
Participants:
Days since reply: 7 years, 45 weeks, 5 days ago

 Description   

Recently in a ticket a customer asked for additional information on why we require the specific IAM permissions we do. This is a ticket to request we provide this in a public facing document to greater explain the need for these settings.

Here's a complete list with annotation:

"ec2:AttachVolume", so we can add an EBS volume to the provisioned server
"ec2:AuthorizeSecurityGroupIngress", so we can manage security groups required by Cloud Manager
"ec2:CreateKeyPair", So when you upload a new keypair via our app
"ec2:CreateSecurityGroup", to create security groups for our distribution
"ec2:CreateTags", so we can tag the ec2 instances
"ec2:CreateVolume", so we can create the ebs volumes
"ec2:DeleteKeyPair", so we can remove any keys created for our cloud manager tool
"ec2:DeleteSecurityGroup", so we can remove any security groups created by our tool
"ec2:DeleteTags", so we can delete any tags when terminating
"ec2:DeleteVolume", so we can delete any volumes when terminating
"ec2:DescribeAccountAttributes", so we can list account details in our tool
"ec2:DescribeAvailabilityZones", so we can list AZ details in our tool
"ec2:DescribeInstanceAttribute", so we can list instance attribute details in our tool
"ec2:DescribeInstanceStatus", so we can list status on the instance our tool
"ec2:DescribeInstances", so we can see available instances for use with our tool
"ec2:DescribeKeyPairs", so we can see available keypairs to be injected into ec2's
"ec2:DescribeRegions", so we can see regions available for use
"ec2:DescribeSecurityGroups", so we can list security groups to set for your distribution
"ec2:DescribeSubnets", so we can list subnets to set for your distribution
"ec2:DescribeTags", so we can list tags for instances associated with cloud manager
"ec2:DescribeVpcs", so we can review available VPCs to build the distribution in
"ec2:DescribeVpcAttribute", so we can see attributes of VPCs when adding information to the cloud manager web tool
"ec2:DescribeVolumeStatus", so the tool can validate the readiness of an attach or a detach
"ec2:DescribeVolumes", so the tool can see and ensure we have the correct volumes for your mongo server
"ec2:DescribeVolumeAttribute", so the tool can describe information on the EBS volume used
"ec2:ImportKeyPair", so when we are provided with an SSH key we can inject it for you to use
"ec2:RunInstances", so we can run the instance
"ec2:StartInstances", so we can start the server
"ec2:StopInstances", so we can stop the server
"ec2:RebootInstances", so we can reboot the server
"ec2:TerminateInstances" so we can terminate the server from cloud manager

I believe we should also state that to reduce the needs of the resource to a single VPC the details from Amazon should be sufficient:

https://aws.amazon.com/premiumsupport/knowledge-center/iam-policy-restrict-vpc/

Thank you!


Generated at Thu Feb 08 07:54:31 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.