Creating an AWS Policy

Edit online

To restrict the control VM's access to your AWS resources, IBM recommends creating a policy with permissions to create the EC2 Instances (nodes) of the cluster. The permissions are provided in the following procedure.

Procedure

To create an AWS policy, complete the following steps:
  1. Log in to the Amazon AWS console using your AWS account with admin privileges.
  2. In the top left of the menu bar, select Services.
  3. Under Security, Identity & Compliance, select IAM.
  4. In the left frame, click Policies.
  5. Click Create policy.
  6. In the Create policy page, select the JSON tab.
  7. Delete the default JSON code.
  8. Copy and paste the following JSON code.
    {
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"iam:ListAttachedUserPolicies",
"iam:GetPolicyVersion",
"iam:GetPolicy",
"iam:ListGroupsForUser",
"iam:ListUsers",
"iam:GetUser",
"iam:GetRole",
"iam:CreateRole",
"iam:TagRole",
"iam:AttachRolePolicy",
"iam:DetachRolePolicy",
"iam:ListPolicies",
"iam:CreateInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:PassRole",
"iam:AddRoleToInstanceProfile",
"iam:GetInstanceProfile",
"iam:DeleteRole",
"cloudformation:UpdateStack",
"cloudformation:ListStackResources",
"cloudformation:CreateStack",
"cloudformation:GetTemplate",
"cloudformation:DeleteStack",
"cloudformation:DescribeStacks",
"cloudformation:ValidateTemplate",
"cloudformation:DescribeStackEvents",
"ec2:DescribeInstances",
"ec2:DeleteTags",
"ec2:DescribeRegions",
"ec2:DeleteVolume",
"ec2:DescribeNetworkInterfaces",
"ec2:StartInstances",
"ec2:DescribeVolumes",
"ec2:AttachVolume",
"ec2:DescribeInstanceStatus",
"ec2:DetachVolume",
"ec2:DetachNetworkInterface",
"ec2:TerminateInstances",
"ec2:ModifyVolumeAttribute",
"ec2:CreateTags",
"ec2:CreateLaunchTemplate",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:DeleteNetworkInterface",
"ec2:RunInstances",
"ec2:StopInstances",
"ec2:CreateVolume",
"ec2:CreateNetworkInterface",
"ec2:AttachNetworkInterface",
"ec2:DescribeSubnets",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:DescribeAvailabilityZones",
"ec2:CreateSecurityGroup",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:DescribeSecurityGroups",
"ec2:ReplaceIamInstanceProfileAssociation",
"ec2:DescribeIamInstanceProfileAssociations",
"ec2:DescribeVpcs",
"ec2:DeleteSecurityGroup",
"ssm:SendCommand",
"ssm:GetCommandInvocation",
"s3:CreateBucket",
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:DeleteBucket",
"s3:PutBucketPublicAccessBlock"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "VisualEditor0"
  }
 ]
}
    Note: This policy only has permissions to deploy the AWS NGCE cluster. To protect AWS source, you need additional permissions.
  9. Click Review policy
  10. In the Name field, enter a name of this policy, such as IBMCEPolicy and click Create policy.
  11. Enter a name, such as IBMCEPolicy , and an optional description for the policy and click Create Policy.