AWS - Use Existing Account Requirements

If you plan to deploy the POC infrastructure assets using an existing AWS account, and you have “root” access, or your IAM user is in the “Administrator” Group, or your IAM user has the “AdministratorAccess” policy applied, you are good to go.

If you plan to deploy the POC infrastructure assets using an existing AWS account, and your access is delegated by an IT administrator within your organization, they may want you to use a new role with the specific privileges required. If this it the case, then please have them review the instructions below.

Regardless of your access method, if you want to logically segment these new assets from your existing assets, then you should consider using an alternate AWS Region for this process. For example, if your existing assets are in region “us-east-1,” then you could use “us-east-2” to keep them separated, if desired.

Creating a New Role and User with Required Permissions
(not required for root users or Administrators)

Create the User

  1. Search for IAM service and click on Users.

  2. Click on Add user button

  1. Add a user name, check Access Type: Programatic access and click on Next: Permissions.

  1. Click on Next:Tags.

  1. Click on Next: Review

    • Warning message is displayed "This user has no permissions", permissions will be attached on the next steps

  2. Click on Create user

  3. Copy and store Access key ID and Secret access key as they will be used during the sandbox deployment.

Create the Policy

  1. Search for IAM service and click on Policies.

  1. Click on Create policy.

  2. Click on JSON.

  1. Copy the JSON document to the right and paste into the editor:


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AWSPermissions",
            "Effect": "Allow",
            "Action": [
                "iam:List*",
                "iam:Attach*",
                "iam:Detach*",
                "iam:CreateAccessKey",
                "iam:DeleteAccessKey",
                "iam:CreateRole",
                "iam:GetRole",
                "iam:TagRole",
                "iam:DeleteRole",
                "iam:PassRole",
                "iam:CreateUser",
                "iam:DeleteUser",
                "iam:UpdateUser",
                "iam:TagUser",
                "iam:GetUser",
                "iam:PutRolePolicy",
                "iam:GetRolePolicy",
                "iam:DeleteRolePolicy",
				"iam:CreatePolicy",
                "iam:GetPolicyVersion",
				"iam:DeletePolicyVersion",
                "iam:GetPolicy",
                "iam:DeletePolicy",
                "s3:Get*",
                "s3:Put*",
                "s3:List*",
                "s3:CreateBucket",
                "s3:DeleteBucket",
                "s3:DeleteObject",
                "ec2:Describe*",
                "ec2:CreateTags",
                "ec2:RunInstances",
                "ec2:StopInstances",
                "ec2:TerminateInstances",
                "ec2:CreateVolume",
                "ec2:CreateSnapshot",
                "ec2:DeleteSnapshot",
                "rds:Describe*",
                "rds:CreateDBSubnetGroup",
                "rds:DeleteDBInstance",
                "rds:CreateDBSnapshot",
                "rds:RemoveTagsFromResource",
                "rds:CreateDBInstance",
                "rds:AddTagsToResource",
                "rds:ListTagsForResource",
                "rds:ModifyDBInstance",
                "rds:CreateDBClusterSnapshot",
                "backup:GetBackupPlan",
                "backup:CreateBackupVault",
                "backup-storage:MountCapsule",
                "backup:UpdateBackupPlan",
                "backup:List*",
                "backup:GetBackupSelection",
                "backup:CreateBackupSelection",
                "backup:DescribeBackupVault",
                "backup:CreateBackupPlan",
                "backup:Delete*",
                "kms:RetireGrant",
                "kms:DescribeKey",
                "kms:CreateGrant",
                "kms:GenerateDataKey",
                "kms:Decrypt",
                "secretsmanager:DescribeSecret",
                "secretsmanager:PutSecretValue",
                "secretsmanager:DeleteSecret",
                "secretsmanager:GetRandomPassword",
                "secretsmanager:TagResource",
                "secretsmanager:CreateSecret",
                "secretsmanager:ListSecretVersionIds",
                "secretsmanager:UpdateSecret",
                "secretsmanager:GetResourcePolicy",
                "secretsmanager:GetSecretValue",
                "lambda:*",
                "apigateway:GET",
                "apigateway:DELETE",
                "apigateway:PUT",
                "apigateway:POST",
                "apigateway:PATCH",
                "logs:GetLogEvents",
                "logs:CreateLogGroup",
                "logs:DescribeLogStreams",
                "logs:DescribeLogGroups",
                "logs:DeleteLogGroup",
                "logs:GetLogGroupFields",
                "logs:ListTagsLogGroup"
            ],
            "Resource": "*"
        }
    ]
}

  1. Click on Review policy.

  1. Add a Name to created policy.

  2. Click on Create policy

Attach the Policy to the User

  1. Go to IAM users.

  2. Click on created user from step User creation.

  3. Click on Add permissions.

  1. Click on Attach existing policies directly.

  1. Search for created policy..

  1. Select the policy from the list.

  2. Click on Next: review.

  3. Click on Add permissions.

  1. User permissions summary should look like this:

Lambda Functions Execution Requirements

During deployment, the Terraform job will also create a new user with specific privileges which enable the Neverfail Bots to operate upon the sandbox assets. This is not the user which will be used for non-sandboxed customer components. Below is a list of that user’s specific permissions. Note that the user has tag nfcc-poc set to true and has name <customer_name>-user-<increment_number>.


{
  "Version": "2012-10-17",
  "Statement": [
        {
            "Sid": "BotsPermissions",
            "Effect": "Allow",
            "Action": [
                "iam:ListRoles",
                "iam:PassRole",
                "ec2:DescribeInstances",
                "ec2:DeleteSnapshot",
				"ec2:DescribeSnapshots",
				"ec2:DeleteTags",
				"ec2:DescribeInstanceAttribute",
				"ec2:DescribeVolumes",
                "ec2:CreateSnapshot",
				"ec2:DescribeTags",
                "ec2:CreateTags",
                "backup:ListTags",
                "backup:ListBackupJobs",
				"backup:GetBackupPlan",
                "backup:ListBackupVaults",
                "backup:GetBackupSelection",
                "backup:DescribeBackupVault",
                "backup:ListBackupPlans",
				"backup:ListBackupSelections",
                "backup:TagResource",
                "backup:CreateBackupSelection",
                "lambda:GetFunctionConfiguration",
				"lambda:ListFunctions",
                "lambda:GetFunction",
                "s3:ListBucket",
                "s3:GetBucketPolicy",
				"s3:GetBucketTagging",
				"s3:GetBucketPublicAccessBlock",
                "s3:GetBucketPolicyStatus",
                "s3:PutBucketPublicAccessBlock",
				"s3:GetBucketAcl",
				"s3:ListAllMyBuckets",
				"s3:PutBucketPolicy",
                "tag:TagResources",
				"tag:GetResources",
                "rds:DescribeDBInstances",
                "rds:ModifyDBInstance",
				"rds:DescribeDBSnapshots",
                "rds:DescribeDBClusterSnapshots",
                "rds:ModifyDBCluster",
				"rds:DeleteDBSnapshot",
                "rds:ListTagsForResource",
                "rds:CreateDBSnapshot",
                "rds:CreateDBClusterSnapshot"
            ],
            "Resource": "*"
        }
    ]
}

THIS TASK IS DONE!

NEXT STEPS: Return to your task system and close out this ticket, then keep an eye out for your next deployment task.

TOP