/
Minimum IAM User Policy (4.0)
Minimum IAM User Policy (4.0)
- Wei Siong Siow
- Jenni Wallin
Owned by Wei Siong Siow
If you are using the example templates to spin up the infrastructure, the user who performs the installation must granted with minimum permission in order to be able to provision AWS resources.
You do not need to setup the following if the user that performs the installation has the AdministratorAccess policy.
For best practice it is preferably to set up a minimum IAM policy for the user to perform the installation.
For IAM user creation, please refer to AWS documentation for guidance https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html.
The following table contains the policies required by the application.
Application | IAM Policies |
|---|---|
eksctl | Refer to Minimum IAM policies - eksctl |
Terraform | {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sts:GetCallerIdentity",
"ec2:DescribeVpcAttribute",
"ec2:DescribeSecurityGroups",
"ec2:DescribeInternetGateways",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeVpcs",
"ec2:DescribeAccountAttributes",
"ec2:DescribeSubnets",
"rds:AddTagsToResource",
"rds:ListTagsForResource",
"rds:CreateDBInstance",
"rds:CreateDBSubnetGroup",
"rds:DeleteDBSubnetGroup",
"rds:DeleteDBInstance",
"rds:ModifyDBInstance",
"ec2:Describe*",
"rds:Describe*",
"rds:CreateDBParameterGroup",
"rds:ModifyDBParameterGroup",
"rds:DeleteDBParameterGroup",
"rds:CreateOptionGroup",
"rds:ModifyOptionGroup",
"rds:DeleteOptionGroup"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"route53:GetHostedZone",
"route53:CreateHostedZone",
"route53:ListHostedZones",
"route53:ChangeTagsForResource",
"route53:ChangeResourceRecordSets",
"route53:ListResourceRecordSets",
"route53:GetChange",
"route53:ListTagsForResource",
"route53:GetDNSSEC",
"route53:DeleteHostedZone"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"acm:*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"kms:*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"elasticfilesystem:Describe*",
"elasticfilesystem:DeleteAccessPoint",
"elasticfilesystem:CreateMountTarget",
"elasticfilesystem:CreateFileSystem",
"elasticfilesystem:ListTagsForResource",
"elasticfilesystem:DeleteMountTarget",
"elasticfilesystem:CreateAccessPoint",
"elasticfilesystem:DeleteFileSystem",
"elasticfilesystem:TagResource",
"elasticfilesystem:UpdateFileSystem"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ssm:Describe*",
"ssm:GetParameter*",
"ssm:ListTagsForResource",
"ssm:PutParameter",
"ssm:DeleteParameter*",
"ssm:AddTagsToResource"
],
"Resource": "*"
},
{
"Action": "iam:CreateServiceLinkedRole",
"Effect": "Allow",
"Resource": "arn:aws:iam::*:role/aws-service-role/rds.amazonaws.com/AWSServiceRoleForRDS",
"Condition": {
"StringLike": {
"iam:AWSServiceName": "rds.amazonaws.com"
}
}
}
]
}
|
, multiple selections available,
Related content
Preparations (4.0)
Preparations (4.0)
Read with this
Minimum IAM User Policy
Minimum IAM User Policy
More like this
Configure Log Collection, Target, and Visualization - AWS(4.0)
Configure Log Collection, Target, and Visualization - AWS(4.0)
Read with this
Pre-requisites - AWS (4.2)
Pre-requisites - AWS (4.2)
More like this
Pre-installation (4.0)
Pre-installation (4.0)
Read with this
Pre-requisites - AWS (4.1)
Pre-requisites - AWS (4.1)
More like this