Creating AWS Identity and Access Management (IAM) User

SUMMARY

Creating AWS Identity and Access Management (IAM) User

ISSUE

The following privileges are required to run Boomerang.

  • Full access to AWS EC2 services
  • Full access to AWS S3 services
  • Full access to AWS CloudFormation services
  • Access to number of IAM service APIs

TASKS

We strongly recommend you to create a new user with the minimum privileges via AWS Identity and Access Management (IAM) as follows.

First, access the IAM service on the AWS console and create a new user. Make sure to download the user's AWS credential. It will be used to set up a Credentials Profile in Boomerang.

User-added image

Click the user to open the summary page. Open "Inline Policies" under "Permission", and click the "click here" link.

User-added image

Select "Custom Policy".

User-added image

 

User-added image

A more detailed policy configuration:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "cloudformation:*",
                "s3:*",
                "ec2:*",
                "iam:CreateRole",
                "iam:DeleteRole",
                "iam:DeleteRolePolicy",
                "iam:ListRolePolicies",
                "iam:ListRoles",
                "iam:PutRolePolicy"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

If there is a requirement for more fine grained least privilege, the following policy can be used as a base:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "BoomerangEc2Actions",
            "Effect": "Allow",
            "Action": [
                "ec2:*"
            ],
            "Resource": "*"
        },
        {
            "Sid": "BoomerangCloudFormationActions",
            "Effect": "Allow",
            "Action": [
                "cloudformation:*"
            ],
            "Resource": "*",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": "{external IP address of appliance}"
                }
            }
        },
        {
            "Sid": "BoomerangIAMActions",
            "Effect": "Allow",
            "Action": [
                "iam:CreateRole",
                "iam:DeleteRole",
                "iam:ListRoles",
                "iam:PutRolePolicy",
                "iam:DeleteRolePolicy",
                "iam:ListRolePolicies"
            ],
            "Resource": "*",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": "{external IP address of appliance}"
                }
            }
        },
        {
            "Sid": "BoomerangS3BucketActions",
            "Effect": "Allow",
            "Action": [
                "s3:CreateBucket",
                "s3:ListBucket",
                "s3:ListBucketMultipartUploads",
                "s3:GetBucketLocation"
            ],
            "Resource": "arn:aws:s3:::{bucket-name}",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": "{external IP address of appliance}"
                }
            }
        },
        {
            "Sid": "BoomerangS3ObjectActions",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject*",
                "s3:PutObject*",
                "s3:DeleteObject*",
                "s3:ListMultipartUploadParts",
                "s3:AbortMultipartUpload"
            ],
            "Resource": "arn:aws:s3:::{bucket-name}/*",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": "{external IP address of appliance}"
                }
            }
        },
        {
            "Sid": "AwsVmImportEc2Actions",
            "Effect": "Allow",
            "Action": [
                "ec2:ModifySnapshotAttribute",
                "ec2:CopySnapshot",
                "ec2:RegisterImage",
                "ec2:Describe*"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:username": "vm_import_image",
                    "aws:principaltype": "AssumedRole"
                }
            }
        },
        {
            "Sid": "AwsVmImportS3BucketActions",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Resource": "arn:aws:s3:::{bucket-name}",
            "Condition": {
                "StringEquals": {
                    "aws:username": "vm_import_image",
                    "aws:principaltype": "AssumedRole"
                }
            }
        },
        {
            "Sid": "AwsVmImportS3ObjectActions",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": "arn:aws:s3:::{bucket-name}/rawdisk/*"
        },
        {
            "Sid": "BoomerangCopybackToolS3ObjectActions",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject*"
            ],
            "Resource": "arn:aws:s3:::{bucket-name}/tool/*"
        },
        {
            "Sid": "BoomerangCopybackS3ObjectActions",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject*"
            ],
            "Resource": "arn:aws:s3:::{bucket-name}/copyback/*"
        }
    ]
}
Was this article helpful?
0 out of 0 found this helpful
Have more questions? Contact us