Skip to main content
AWS Private Region Access

How to manage AWS Private Region Access

Owen Badger avatar
Written by Owen Badger
Updated over 3 months ago

Infrastructure Management (IAM Role -- Assume Role Identity)

Role Name:

Bebop-Admin-Role

Tasks performed:

KMS management for Encrypted Disks

Access MarketPlace for CentOS 7 AMI

Setup SNS and Cloudwatch to send notifications to MCP

Create support tickets for quota increase.

Policy:

{

"Version": "2012-10-17",

"Statement": [{

"Effect": "Allow",

"Action": [

"support:*",

"ec2:*",

"sns:*",

"kms:*",

"logs:*",

"cloudwatch:*"

"events:*",

"route53:*",

"aws-marketplace:*",

"iam:PassRole",

"aws-portal:ViewAccount",

"aws-portal:ViewBilling",

"aws-portal:ViewUsage"

],

"Resource": "*"

}]

}

Application Service User

User:

bebopserviceuser

Tasks performed:

Launch, start, stop and terminate EC2 instances by BeBop application.

Policy:

{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Action": "ec2:*",

"Resource": "*"

},

{

"Effect": "Allow",

"Action": "iam:PassRole",

"Resource": "*"

},

{

"Effect": "Allow",

"Action": [

"iam:*AccessKey*",

"iam:ChangePassword",

"iam:GetUser",

"iam:*ServiceSpecificCredential*",

"iam:*SigningCertificate*"

],

"Resource": ["arn:aws:iam::*:user/${aws:username}"]

}

]

}

Initial Setup User

Username:

terraform

Tasks performed:

Initial infra setup

Note: terraform user can be removed once BeBop on-boarding is done.

Policy:

{

"Version": "2012-10-17",

"Statement": [{

"Effect": "Allow",

"Action": [

"ec2:*",

"sns:*",

"kms:*",

"logs:*",

"cloudwatch:*",

"events:*",

"aws-marketplace:*",

"iam:PassRole"

],

"Resource": "*"

}]

}

Roles Needed:

prometheus

Tasks performed:

Used by AWS service discovery to find running instances

IAM Policy:

{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Action": "ec2:Describe*",

"Resource": "*"

}

]

}

Trust Relationship:

{

"Version": "2012-10-17",

"Statement": [

{

"Sid": "",

"Effect": "Allow",

"Principal": {

"Service": "ec2.amazonaws.com"

},

"Action": "sts:AssumeRole"

}

]

}

Did this answer your question?