Cloud8 supports the use of IAM for AWS with a custom security credential. See an example of the minimum permissions that are required for effective access and operation. The default actions are all read-only and then there is a session for customized permissions depending on the tag assigned to a server.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:Describe*",
"ec2:CreateImage",
"ec2:CreateSnapshot",
"ec2:ModifyInstanceAttribute",
"ec2:AssociateAddress",
"ec2:RebootInstances",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:CreateTags",
"ec2:DeleteTags",
"rds:Describe*",
"rds:StartDBInstance",
"rds:StopDBInstance",
"rds:StartDBCluster",
"rds:StopDBCluster",
"rds:Download*",
"rds:ListTagsForResource",
"rds:ModifyDBInstance*",
"rds:CreateDBSnapshot*",
"ssm:Describe*",
"savingsplans:Describe*",
"elasticache:Describe*",
"elasticloadbalancing:Describe*",
"elasticbeanstalk:Describe*",
"autoscaling:Describe*",
"ecs:Describe*",
"ecs:List*",
"eks:Describe*",
"eks:List*",
"cloudtrail:DescribeTrails",
"cloudtrail:GetTrailStatus",
"cloudtrail:Look*",
"cloudfront:Describe*",
"cloudfront:Get*",
"cloudfront:List*",
"storagegateway:Describe*",
"storagegateway:List*",
"es:Describe*",
"es:List*",
"elasticache:Describe*",
"elasticache:List*",
"redshift:Describe*",
"workspaces:Describe*",
"lightsail:Get*",
"lambda:Get*",
"lambda:List*",
"tag:get*",
"trustedadvisor:Describe*",
"support:Describe*",
"iam:Get*",
"iam:List*",
"iam:Generate*",
"organizations:Describe*",
"organizations:List*",
"route53:Get*",
"route53:List*",
"cloudwatch:Get*",
"cloudwatch:List*",
"kms:List*",
"kms:Describe*",
"sns:ListSubscriptions*",
"sns:CreateTopic",
"sns:Subscribe",
"sns:ConfirmSubscription",
"rds:CreateEventSubscription"
],
"Resource": "*"
},
{
"Action": [
"s3:ListAllMyBuckets"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::*"
},
{
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::___your_bucket_name___"
},
{
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::___your_bucket_name___/*"
}
]
}
Pending for the customer : Define the bucket where the billing data is published (if you don’t know, Cloud8 can inform you). Note : in the policy above, all servers that have the example tag “Cloud8” with the value “Enable”, Cloud8 will be able to perform actions outside the defined standards. In this case start, stop, reboot and associate an elastic IP.
Other permissions #
Restrict stop/start to a set of tagged servers
{
"Effect": "Allow",
"Action": [
"ec2:RebootInstances",
"ec2:StartInstances",
"ec2:StopInstances"
],
"Resource": "arn:aws:ec2:*:*:instance/*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Cloud8": "Enable"
}
}
},
(in the case of servers that have the “Cloud8” Tag with the value “Enable”)
Backup cleanup / Retention Policy that deletes AMI / Snapshots according to rules
...
ec2:DeregisterImage
ec2:DeleteSnapshot
rds:DeleteDBSnapshot
rds:DeleteDBClusterSnapshot
...
(insert in the first block with general permissions)
Copy to another region
...
ec2:CopyImage
rds:CopyDBSnapshot
rds:CopyDBClusterSnapshot
...
(enter in the first block with general permissions)
RDS Savings and Backup
...
rds:ModifyDBInstance*
rds:CreateDBSnapshot*
rds:CreateDBClusterSnapshot*
...
(insert in the first block with general permissions)
RDS Event Monitoring
...
sns:Describe*
sns:ListSubscriptions*
sns:CreateTopic
sns:Subscribe
sns:ConfirmSubscription
rds:CreateEventSubscription
...
(insert in the first block with general permissions)
Executing scripts via EC2 Command
...
ssm:List*
ssm:Get*
ssm:SendCommand
...
Backup copy (vault) to another account Source account:
...
ec2:ModifyImageAttribute
ec2:ModifySnapshotAttribute
rds:ModifyDBSnapshotAttribute
rds:ModifyDBClusterSnapshotAttribute
...
Destination account:
...
ec2:CopyImage
ec2:CopySnapshot
rds:CopyDBSnapshot
rds:CopyDBClusterSnapshot
...
Cost reduction in Auto Scaling and Beanstalk
...
elasticbeanstalk:Update*
autoscaling:Update*
...
Cost reduction in ECS and Fargate
...
ecs:Describe*
ecs:Update*
...
Cost reduction in OpenSearch/ElasticSearch
...
ess:Update*
...
Load Balancer
...
elasticloadbalancing:RegisterInstancesWithLoadBalancer
elasticloadbalancing:DeregisterInstancesFromLoadBalancer
elasticloadbalancing:RegisterTargets
elasticloadbalancing:DeregisterTargets
...
Tag Editing – individual component permissions (there is no general mode)
...
tag:*
ec2:CreateTags
ec2:DeleteTags
rds:AddTagsToResource
rds:RemoveTagsFromResource
elasticloadbalancing:RemoveTags
elasticloadbalancing:AddTags
route53:ChangeTags*
dynamodb:Tag*
dynamodb:Untag*
logs:Tag*
logs:Untag*
eks:Tag*
eks:Untag*
elasticache:RemoveTagsFromResource
elasticache:AddTagsToResource
s3:DeleteObjectTagging
s3:DeleteJobTagging
s3:PutBucketTagging
s3:DeleteStorageLensConfigurationTagging
s3:ReplicateTags
s3:PutStorageLensConfigurationTagging
s3:PutObjectVersionTagging
s3:PutObjectTagging
s3:PutJobTagging
s3:DeleteObjectVersionTagging
dms:RemoveTagsFromResource
dms:AddTagsToResource
...
Changing disk type
... ec2:ModifyVolume*
...
Cost reduction with Redshift
... redshift:Pause* redshift:Resume*
...
Cost reduction with Workspaces
... workspaces:Stop* workspaces:Start*
...
LightSail support
... lightsail:Describe* lightsail:Get* lightsail:Stop* lightsail:Start* lightsail:Reboot* lightsail:Create* lightsail:Copy*
...
Feel free to create your own customized policy!