IBM Support

AWS Minimum Permissions

Technical Blog Post


Abstract

AWS Minimum Permissions

Body

If you are using AWS to provision host via IAM user, this post would help you define the minimum permissions you need to the user to provision and terminate hosts through AWS console.

 

Please refer to the following links regards IAM users and adding permissions

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_change-permissions.html

For OnDemand instances

ec2:DescribeInstances: to check status of instances

ec2:TerminateInstances: to remove instances

ec2:RunInstances: to request new instances

ec2:DescribeVpcs: to select a VPC

ec2:DescribeSubnets: to select a subnet

ec2:DescribeImages: to select an image

ec2:DescribeKeyPairs: to select a Key Pair

 

For Spot Fleets

ec2:RequestSpotFleet: Used by AWS GUI and HostFactory service to create a spot fleet

ec2:CancelSpotFleetRequests: to cancel a fleet request

ec2:DescribeSpotFleetRequests: to check for fleet status

ec2:DescribeSpotFleetInstances: to check instances status under a specific fleet

ec2:DescribeSpotInstanceRequests: to check the status of a specific spot instance

ec2:DescribeInstances: to check status of instances

ec2:DescribeSpotInstanceRequests: being called during removing instances

ec2:TerminateInstances: to remove instances

ec2:DescribeAccountAttributes: to select VPC

ec2:DescribeVpcs: to select a VPC

ec2:DescribeSubnets: to select a subnet

ec2:DescribeImages: to select an image

ec2:DescribeKeyPairs: to select a Key Pair

ec2:DescribeAvailabilityZones : to select availability zone

 

If you are using a launch template for your spot fleets, then you also need the following permissions

ec2:GetLaunchTemplateData: to read the launch template data

ec2:DescribeLaunchTemplate: to check for launch template

ec2:CreateLaunchTemplate:

ec2:DeleteLaunchTemplate: to clean launch template

More permissions

IAM role permissions

If you are using IAM role, you need to add the following permissions to access the list of IAM roles to choose from and to pass the chosen IAM role to provisioned instances

iam:ListInstanceProfiles

iam:ListRoles

iam:PassRole

 

Tag permission

If you add tags to your instances or spot fleets, you need to add this permission

ec2:CreateTags

 

Verification permissions

You scan add those permissions to verify template values through AWS GUI

ec2:DescribeInstanceStatus: to show instances status

ec2:DescribeVolumes: to show EBS volume.

ec2:DescribeTags: to show tags

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSZUMP","label":"IBM Spectrum Symphony"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

UID

ibm16163869