Hello guys,
I was messing around with Aerospike, and I wanted to create a cluster on AWS. I will use the AMI provided on AWS Marketplace and I see that the aerospike uses the following aws services:
EC2, Cloudformation, EBS, SQS
I was wondering if there is a minimum required AWS IAM Policy to create an Aerospike cluster, because I couldn’t find one in the documentations.
Thanks in advance.
Default AWS IAM are usually enough. If you are going to restrict access you can try and test policies.
Something similar to this one would restrict to an IAM user to only start and stop an instance. The policy is more up to you into adding access to the different AWs services like EBS, etc.
You could try creating policies in
https://console.aws.amazon.com/iam/home?region=us-west-2#/policies
Here is a sample policy to start with:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:GetConsoleScreenshot"
],
"Resource": "arn:aws:ec2:*:*:instance/*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeSnapshots",
"ec2:DescribeHostReservationOfferings",
"ec2:DescribeVolumeStatus",
"ec2:DescribeScheduledInstanceAvailability",
"ec2:DescribeVolumes",
"ec2:DescribeFpgaImageAttribute",
"ec2:DescribeExportTasks",
"ec2:DescribeKeyPairs",
"ec2:DescribeReservedInstancesListings",
"ec2:DescribeCapacityReservations",
"ec2:DescribeClientVpnRoutes",
"ec2:DescribeSpotFleetRequestHistory",
"ec2:DescribeSnapshotAttribute",
"ec2:DescribeVpcClassicLinkDnsSupport",
"ec2:DescribeIdFormat",
"ec2:DescribeVolumeAttribute",
"ec2:DescribeImportSnapshotTasks",
"ec2:DescribeVpcEndpointServicePermissions",
"ec2:GetPasswordData",
"ec2:DescribeTransitGatewayAttachments",
"ec2:DescribeScheduledInstances",
"ec2:DescribeImageAttribute",
"ec2:DescribeFleets",
"ec2:DescribeReservedInstancesModifications",
"ec2:DescribeSubnets",
"ec2:DescribeMovingAddresses",
"ec2:DescribeFleetHistory",
"ec2:DescribePrincipalIdFormat",
"ec2:DescribeFlowLogs",
"ec2:DescribeRegions",
"ec2:DescribeTransitGateways",
"ec2:DescribeVpcEndpointServices",
"ec2:DescribeSpotInstanceRequests",
"ec2:DescribeVpcAttribute",
"ec2:ExportClientVpnClientCertificateRevocationList",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeTransitGatewayRouteTables",
"ec2:DescribeNetworkInterfaceAttribute",
"ec2:DescribeVpcEndpointConnections",
"ec2:DescribeInstanceStatus",
"ec2:DescribeHostReservations",
"ec2:DescribeBundleTasks",
"ec2:DescribeClassicLinkInstances",
"ec2:DescribeIdentityIdFormat",
"ec2:DescribeVpcEndpointConnectionNotifications",
"ec2:DescribeSecurityGroups",
"ec2:DescribeFpgaImages",
"ec2:DescribeVpcs",
"ec2:DescribeStaleSecurityGroups",
"ec2:DescribeAggregateIdFormat",
"ec2:ExportClientVpnClientConfiguration",
"ec2:DescribeVolumesModifications",
"ec2:GetHostReservationPurchasePreview",
"ec2:DescribeClientVpnConnections",
"ec2:DescribeByoipCidrs",
"ec2:DescribePlacementGroups",
"ec2:DescribeInternetGateways",
"ec2:GetLaunchTemplateData",
"ec2:SearchTransitGatewayRoutes",
"ec2:DescribeSpotDatafeedSubscription",
"ec2:DescribeAccountAttributes",
"ec2:DescribeNetworkInterfacePermissions",
"ec2:DescribeReservedInstances",
"ec2:DescribeNetworkAcls",
"ec2:DescribeRouteTables",
"ec2:DescribeClientVpnEndpoints",
"ec2:DescribeEgressOnlyInternetGateways",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeVpcPeeringConnections",
"ec2:DescribeVpnConnections",
"ec2:DescribeReservedInstancesOfferings",
"ec2:DescribeFleetInstances",
"ec2:GetTransitGatewayAttachmentPropagations",
"ec2:DescribeClientVpnTargetNetworks",
"ec2:DescribeVpcEndpointServiceConfigurations",
"ec2:DescribePrefixLists",
"ec2:GetReservedInstancesExchangeQuote",
"ec2:DescribeInstanceCreditSpecifications",
"ec2:DescribeVpcClassicLink",
"ec2:GetTransitGatewayRouteTablePropagations",
"ec2:DescribeElasticGpus",
"ec2:DescribeVpcEndpoints",
"ec2:DescribeVpnGateways",
"ec2:DescribeAddresses",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeDhcpOptions",
"ec2:GetConsoleOutput",
"ec2:DescribeSpotPriceHistory",
"ec2:DescribeNetworkInterfaces",
"ec2:GetTransitGatewayRouteTableAssociations",
"ec2:DescribeIamInstanceProfileAssociations",
"ec2:DescribeTags",
"ec2:DescribeLaunchTemplateVersions",
"ec2:DescribeImportImageTasks",
"ec2:DescribeNatGateways",
"ec2:DescribeCustomerGateways",
"ec2:DescribeSpotFleetRequests",
"ec2:DescribeHosts",
"ec2:DescribeImages",
"ec2:DescribeSpotFleetInstances",
"ec2:DescribeSecurityGroupReferences",
"ec2:DescribeClientVpnAuthorizationRules",
"ec2:DescribePublicIpv4Pools",
"ec2:DescribeTransitGatewayVpcAttachments",
"ec2:DescribeConversionTasks"
],
"Resource": "*"
}
]
}