Overview
Enterprise OS is a managed services deployment on AWS. We provision all infra, network, and storage for the Enterprise OS deployment. To effectively maintain the deployed application, we need the follow roles and permissions.
Infrastructure Management (IAM Role -- Assume Role Identity)
Role Name:
Bebop-Admin-Role
Tasks performed:
KMS management for Encrypted Disks
Access MarketPlace for CentOS 7 AMI
Setup SNS and Cloudwatch to send notifications to MCP
Create support tickets for quota increase.
Policy:
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"support:*",
"ec2:*",
"sns:*",
"kms:*",
"logs:*",
"cloudwatch:*"
"events:*",
"route53:*",
"aws-marketplace:*",
"iam:PassRole",
"aws-portal:ViewAccount",
"aws-portal:ViewBilling",
"aws-portal:ViewUsage"
],
"Resource": "*"
}]
}
Application Service Role
Role: BebopServiceRole
Tasks performed:
Launch, start, stop and terminate EC2 instances by Enterprise application.
Rotate IAM keys for Flex Service User (Only if Flex is needed)
Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"kms:RetireGrant",
"kms:CreateGrant",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:Encrypt",
"kms:DescribeKey",
"kms:Decrypt"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:*AccessKey*",
"iam:ChangePassword",
"iam:GetUser",
"iam:*ServiceSpecificCredential*",
"iam:*SigningCertificate*"
],
"Resource": [
"arn:aws:iam::*:user/bbpflexsrvcuser"
]
}
]
}
Instance Role for SSM & Monitoring
Roles Needed: BebopInstanceRole
Tasks performed:
Used by AWS service discovery to find running instances
Used for SSM Session Manager Access
IAM Policy:
Attach AWS Managed Policy: AmazonSSMManagedInstanceCore
Attach below inline policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:Describe*",
"Resource": "*"
}
]
}
Trust Relationship:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}