Skip to main content
AWS Private Region Access Roles

What are the AWS Private Region Access Roles?

Owen Badger avatar
Written by Owen Badger
Updated over 2 months ago

Overview

Enterprise OS is a managed services deployment on AWS. We provision all infra, network, and storage for the Enterprise OS deployment. To effectively maintain the deployed application, we need the follow roles and permissions.

Infrastructure Management (IAM Role -- Assume Role Identity)

Role Name:

  • Bebop-Admin-Role

Tasks performed:

  • KMS management for Encrypted Disks

  • Access MarketPlace for CentOS 7 AMI

  • Setup SNS and Cloudwatch to send notifications to MCP

  • Create support tickets for quota increase.

Policy:

{

"Version": "2012-10-17",

"Statement": [{

"Effect": "Allow",

"Action": [

"support:*",

"ec2:*",

"sns:*",

"kms:*",

"logs:*",

"cloudwatch:*"

"events:*",

"route53:*",

"aws-marketplace:*",

"iam:PassRole",

"aws-portal:ViewAccount",

"aws-portal:ViewBilling",

"aws-portal:ViewUsage"

],

"Resource": "*"

}]

}

Application Service Role

Role: BebopServiceRole

Tasks performed:

  • Launch, start, stop and terminate EC2 instances by Enterprise application.

  • Rotate IAM keys for Flex Service User (Only if Flex is needed)

Policy:

{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Action": "ec2:*",

"Resource": "*"

},

{

"Effect": "Allow",

"Action": "iam:PassRole",

"Resource": "*"

},

{
"Effect": "Allow",
"Action": [
"kms:RetireGrant",
"kms:CreateGrant",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:Encrypt",
"kms:DescribeKey",
"kms:Decrypt"
],
"Resource": "*"
},

{

"Effect": "Allow",

"Action": [

"iam:*AccessKey*",

"iam:ChangePassword",

"iam:GetUser",

"iam:*ServiceSpecificCredential*",

"iam:*SigningCertificate*"

],

"Resource": [

"arn:aws:iam::*:user/bbpflexsrvcuser"

]

}

]

}

Instance Role for SSM & Monitoring

Roles Needed: BebopInstanceRole

Tasks performed:

  • Used by AWS service discovery to find running instances

  • Used for SSM Session Manager Access

IAM Policy:

Attach AWS Managed Policy: AmazonSSMManagedInstanceCore

Attach below inline policy

{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Action": "ec2:Describe*",

"Resource": "*"

}

]

}


Trust Relationship:

{

"Version": "2012-10-17",

"Statement": [

{

"Sid": "",

"Effect": "Allow",

"Principal": {

"Service": "ec2.amazonaws.com"

},

"Action": "sts:AssumeRole"

}

]

}


Did this answer your question?