AWS Required Roles/Permissions

Overview

The following roles should be attached to a group to which user accounts representing CB service accounts are added.

Considerations

A key and secret can then be generated for each user account.

Predefined Roles required:

AmazonEC2FullAccess
AWSPriceListServiceFullAccess
AWSS3FullAccess
AmazonVPCFullAccess

resource-groups:ListGroups
ec2:DescribeHosts

The custom role that I call “IAMCreateRole” that is used to enable remote execution for EC2 VMs

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "iam:CreateRole",
                "iam:AttachRolePolicy",
                "iam:CreateInstanceProfile",
                "iam:AddRoleToInstanceProfile"
            ],
            "Resource": "*"
        }
    ]
}

Minimal required permissions:

"Action": [
"ce:GetCostAndUsage",
"ec2:AssociateIamInstanceProfile",
"ec2:AttachVolume",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:DescribeAccountAttributes",
"ec2:DescribeAddresses",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeHosts",
"ec2:DescribeIamInstanceProfileAssociations",
"ec2:DescribeImages",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:DescribeInstanceTypeOfferings",
"ec2:DescribeInstanceTypes",
"ec2:DescribeKeyPairs",
"ec2:DescribeRegions",
"ec2:DescribeReservedInstances",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeTags",
"ec2:DescribeVolumeAttribute",
"ec2:DescribeVolumes",
"ec2:DescribeVolumesModifications",
"ec2:DescribeVolumeStatus",
"ec2:DescribeVpcs",
"ec2:GetConsoleOutput",
"ec2:ModifyVolume",
"ec2:RebootInstances",
"ec2:ReplaceIamInstanceProfileAssociation",
"ec2:RunInstances",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances",
"iam:PassRole",
"kms:CreateGrant",
"kms:GenerateDataKeyWithoutPlaintext",
"kms:ReEncrypt*",
"pricing:GetProducts",
"resource-groups:ListGroups",
"ssm:CreateDocument",
"ssm:DeleteDocument",
"ssm:DescribeDocument",
"ssm:DescribeInstanceInformation",
"ssm:GetCommandInvocation",
"ssm:ListDocuments",
"ssm:SendCommand"
],

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.