SUMMARY
Creating AWS Identity and Access Management (IAM) User
ISSUE
The following privileges are required to run Boomerang.
- Full access to AWS EC2 services
- Full access to AWS S3 services
- Full access to AWS CloudFormation services
- Access to number of IAM service APIs
TASKS
We strongly recommend you to create a new user with the minimum privileges via AWS Identity and Access Management (IAM) as follows.
First, access the IAM service on the AWS console and create a new user. Make sure to download the user's AWS credential. It will be used to set up a Credentials Profile in Boomerang.
Click the user to open the summary page. Open "Inline Policies" under "Permission", and click the "click here" link.
Select "Custom Policy".
A more detailed policy configuration:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudformation:*", "s3:*", "ec2:*", "iam:CreateRole", "iam:DeleteRole", "iam:DeleteRolePolicy", "iam:ListRolePolicies", "iam:ListRoles", "iam:PutRolePolicy" ], "Resource": [ "*" ] } ] }
If there is a requirement for more fine grained least privilege, the following policy can be used as a base:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "BoomerangEc2Actions", "Effect": "Allow", "Action": [ "ec2:*" ], "Resource": "*" }, { "Sid": "BoomerangCloudFormationActions", "Effect": "Allow", "Action": [ "cloudformation:*" ], "Resource": "*", "Condition": { "IpAddress": { "aws:SourceIp": "{external IP address of appliance}" } } }, { "Sid": "BoomerangIAMActions", "Effect": "Allow", "Action": [ "iam:CreateRole", "iam:DeleteRole", "iam:ListRoles", "iam:PutRolePolicy", "iam:DeleteRolePolicy", "iam:ListRolePolicies" ], "Resource": "*", "Condition": { "IpAddress": { "aws:SourceIp": "{external IP address of appliance}" } } }, { "Sid": "BoomerangS3BucketActions", "Effect": "Allow", "Action": [ "s3:CreateBucket", "s3:ListBucket", "s3:ListBucketMultipartUploads", "s3:GetBucketLocation" ], "Resource": "arn:aws:s3:::{bucket-name}", "Condition": { "IpAddress": { "aws:SourceIp": "{external IP address of appliance}" } } }, { "Sid": "BoomerangS3ObjectActions", "Effect": "Allow", "Action": [ "s3:GetObject*", "s3:PutObject*", "s3:DeleteObject*", "s3:ListMultipartUploadParts", "s3:AbortMultipartUpload" ], "Resource": "arn:aws:s3:::{bucket-name}/*", "Condition": { "IpAddress": { "aws:SourceIp": "{external IP address of appliance}" } } }, { "Sid": "AwsVmImportEc2Actions", "Effect": "Allow", "Action": [ "ec2:ModifySnapshotAttribute", "ec2:CopySnapshot", "ec2:RegisterImage", "ec2:Describe*" ], "Resource": "*", "Condition": { "StringEquals": { "aws:username": "vm_import_image", "aws:principaltype": "AssumedRole" } } }, { "Sid": "AwsVmImportS3BucketActions", "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetBucketLocation" ], "Resource": "arn:aws:s3:::{bucket-name}", "Condition": { "StringEquals": { "aws:username": "vm_import_image", "aws:principaltype": "AssumedRole" } } }, { "Sid": "AwsVmImportS3ObjectActions", "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": "arn:aws:s3:::{bucket-name}/rawdisk/*" }, { "Sid": "BoomerangCopybackToolS3ObjectActions", "Effect": "Allow", "Action": [ "s3:GetObject*" ], "Resource": "arn:aws:s3:::{bucket-name}/tool/*" }, { "Sid": "BoomerangCopybackS3ObjectActions", "Effect": "Allow", "Action": [ "s3:PutObject*" ], "Resource": "arn:aws:s3:::{bucket-name}/copyback/*" } ] }