Overview
The following roles should be attached to a group to which user accounts representing CB service accounts are added.
See also: https://support.cloudbolt.io/hc/en-us/articles/4402684031124-AWS-Required-Roles-Permissions (in the customer-facing KB)
Considerations
A key and secret can then be generated for each user account.
Predefined Roles required:
AmazonEC2FullAccess
AWSPriceListServiceFullAccess
AWSS3FullAccess
AmazonVPCFullAccess
resource-groups:ListGroups
ec2:DescribeHosts
The custom role that I call “IAMCreateRole” that is used to enable remote execution for EC2 VMs
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:CreateRole",
"iam:AttachRolePolicy",
"iam:CreateInstanceProfile",
"iam:AddRoleToInstanceProfile"
],
"Resource": "*"
}
]
}
Minimal required permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ce:GetCostAndUsage",
"ec2:AssociateIamInstanceProfile",
"ec2:AttachVolume",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:DescribeAccountAttributes",
"ec2:DescribeAddresses",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeHosts",
"ec2:DescribeIamInstanceProfileAssociations",
"ec2:DescribeImages",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:DescribeInstanceTypeOfferings",
"ec2:DescribeInstanceTypes",
"ec2:DescribeKeyPairs",
"ec2:DescribeRegions",
"ec2:DescribeReservedInstances",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeTags",
"ec2:DescribeVolumeAttribute",
"ec2:DescribeVolumes",
"ec2:DescribeVolumesModifications",
"ec2:DescribeVolumeStatus",
"ec2:DescribeVpcs",
"ec2:GetConsoleOutput",
"ec2:ModifyVolume",
"ec2:RebootInstances",
"ec2:ReplaceIamInstanceProfileAssociation",
"ec2:RunInstances",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances",
"iam:PassRole",
"kms:CreateGrant",
"kms:GenerateDataKeyWithoutPlaintext",
"kms:ReEncrypt*",
"pricing:GetProducts",
"resource-groups:ListGroups",
"ssm:CreateDocument",
"ssm:DeleteDocument",
"ssm:DescribeDocument",
"ssm:DescribeInstanceInformation",
"ssm:GetCommandInvocation",
"ssm:ListDocuments",
"ssm:SendCommand"
],
"Resource": [
"*"
]
}
]
}
Cloudwatch ( Server Stats)
To see cloudwatch data in server stats tab
CloudWatchReadOnlyAccess managed policy is also required.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"autoscaling:Describe*",
"cloudwatch:Describe*",
"cloudwatch:Get*",
"cloudwatch:List*",
"logs:Get*",
"logs:List*",
"logs:StartQuery",
"logs:StopQuery",
"logs:Describe*",
"logs:TestMetricFilter",
"logs:FilterLogEvents",
"oam:ListSinks",
"sns:Get*",
"sns:List*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"oam:ListAttachedLinks"
],
"Resource": "arn:aws:oam:*:*:sink/*"
}
]
}
0 Comments