SUMMARY
Creating AWS Identity and Access Management (IAM) User
ISSUE
The following privileges are required to run Boomerang.
- Full access to AWS EC2 services
- Full access to AWS S3 services
- Full access to AWS CloudFormation services
- Access to number of IAM service APIs
TASKS
We strongly recommend you to create a new user with the minimum privileges via AWS Identity and Access Management (IAM) as follows.
First, access the IAM service on the AWS console and create a new user. Make sure to download the user's AWS credential. It will be used to set up a Credentials Profile in Boomerang.
Click the user to open the summary page. Open "Inline Policies" under "Permission", and click the "click here" link.
Select "Custom Policy".
A more detailed policy configuration:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudformation:*",
"s3:*",
"ec2:*",
"iam:CreateRole",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:ListRolePolicies",
"iam:ListRoles",
"iam:PutRolePolicy"
],
"Resource": [
"*"
]
}
]
}
If there is a requirement for more fine grained least privilege, the following policy can be used as a base:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "BoomerangEc2Actions",
"Effect": "Allow",
"Action": [
"ec2:*"
],
"Resource": "*"
},
{
"Sid": "BoomerangCloudFormationActions",
"Effect": "Allow",
"Action": [
"cloudformation:*"
],
"Resource": "*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "{external IP address of appliance}"
}
}
},
{
"Sid": "BoomerangIAMActions",
"Effect": "Allow",
"Action": [
"iam:CreateRole",
"iam:DeleteRole",
"iam:ListRoles",
"iam:PutRolePolicy",
"iam:DeleteRolePolicy",
"iam:ListRolePolicies"
],
"Resource": "*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "{external IP address of appliance}"
}
}
},
{
"Sid": "BoomerangS3BucketActions",
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::{bucket-name}",
"Condition": {
"IpAddress": {
"aws:SourceIp": "{external IP address of appliance}"
}
}
},
{
"Sid": "BoomerangS3ObjectActions",
"Effect": "Allow",
"Action": [
"s3:GetObject*",
"s3:PutObject*",
"s3:DeleteObject*",
"s3:ListMultipartUploadParts",
"s3:AbortMultipartUpload"
],
"Resource": "arn:aws:s3:::{bucket-name}/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "{external IP address of appliance}"
}
}
},
{
"Sid": "AwsVmImportEc2Actions",
"Effect": "Allow",
"Action": [
"ec2:ModifySnapshotAttribute",
"ec2:CopySnapshot",
"ec2:RegisterImage",
"ec2:Describe*"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:username": "vm_import_image",
"aws:principaltype": "AssumedRole"
}
}
},
{
"Sid": "AwsVmImportS3BucketActions",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::{bucket-name}",
"Condition": {
"StringEquals": {
"aws:username": "vm_import_image",
"aws:principaltype": "AssumedRole"
}
}
},
{
"Sid": "AwsVmImportS3ObjectActions",
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": "arn:aws:s3:::{bucket-name}/rawdisk/*"
},
{
"Sid": "BoomerangCopybackToolS3ObjectActions",
"Effect": "Allow",
"Action": [
"s3:GetObject*"
],
"Resource": "arn:aws:s3:::{bucket-name}/tool/*"
},
{
"Sid": "BoomerangCopybackS3ObjectActions",
"Effect": "Allow",
"Action": [
"s3:PutObject*"
],
"Resource": "arn:aws:s3:::{bucket-name}/copyback/*"
}
]
}