Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Welcome to your first step towards cloud efficiency and savings with Infrastructure Optimizer. By following our setup checklist, you'll enable Infrastructure Optimizer to operate smoothly in your environment.

Environment Prerequisites Overview

Component

Section Link

VPC

Network

Certificate

Security

IAM Roles

Permissions

Network
Anchor
Network
Network

Component

Requirements

VPC

  • It contains at least one private subnet

NAT Gateway

  • The connectivity type is public

Security
Anchor
Security
Security

Component

Details

SSH Key

  • This will be used to attach to the Management Server

Trusted Certificate

  • Required only if deploying in a private environment.

Compute
Anchor
Compute
Compute

Component

Requirements

Operating System

  • Using Linux variants

Permissions
Anchor
Permissions
Permissions

We understand that cloud control and security are essential to you. To use Infrastructure Optimizer and start saving right away, you need the following IAM role roles with least privilege policies to install and operate:

Expand
titleUser IAM Role

Least privilege IAM policies

Explanation

Code Block
languagejson
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:RunInstances",
                "ec2:DescribeInstances",
                "ec2:DescribeInstanceTypes",
                "ec2:DescribeInstanceStatus",
                "ec2:StopInstances",
                "ec2:TerminateInstances",
                "ec2:ModifyInstanceAttribute",
                "ec2:DescribeSubnets",
                "ec2:DescribeVpcs",
                "ec2:DescribeVpcAttribute",
                "ec2:DescribeSecurityGroups",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:CreateSecurityGroup",
                "ec2:RevokeSecurityGroupIngress",
                "ec2:DeleteSecurityGroup",
                "ec2:DescribeSecurityGroupRules",
                "ec2:CreateTags",
                "ec2:DescribeKeyPairs",
                "ec2:DescribeImages",
                "ec2:DescribeImageAttribute",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeAccountAttributes",
                "ec2:DescribeRouteTables",
                "ec2:DescribeNetworkAcls",
                "ec2:DescribeAddresses",
                "ec2:DescribeDhcpOptions",
                "ec2:DescribeSnapshots"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::cf-template*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "cloudformation:CreateStack",
                "cloudformation:UpdateStack",
                "cloudformation:CreateUploadBucket",
                "cloudformation:DescribeStackEvents",
                "cloudformation:DescribeStacks",
                "cloudformation:GetTemplateSummary",
                "cloudformation:ListStacks",
                "cloudformation:ListStackResources",
                "cloudformation:DeleteStack"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:CreateRole",
                "iam:DeleteRole",
                "iam:ListRoles",
                "iam:TagRole",
                "iam:PutRolePolicy",
                "iam:DeleteRolePolicy",
                "iam:GetRole",
                "iam:ListAttachedRolePolicies",
                "iam:CreateInstanceProfile",
                "iam:AddRoleToInstanceProfile",
                "iam:RemoveRoleFromInstanceProfile",
                "iam:DeleteInstanceProfile",
                "iam:ListPolicies",
                "iam:PassRole",
                "iam:ListOpenIDConnectProviders",
                "iam:GetOpenIDConnectProvider",
                "iam:ListEntitiesForPolicy",
                "iam:CreateServiceLinkedRole",
                "iam:ListInstanceProfiles",
                "iam:ListInstanceProfilesForRole",
                "iam:AttachRolePolicy" 
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "eks:DescribeCluster",
                "eks:ListClusters",
                "eks:UpdateClusterConfig",
                "eks:UpdateClusterVersion",
                "eks:CreateNodegroup",
                "eks:DescribeNodegroup",
                "eks:ListNodegroups",
                "eks:UpdateNodegroupConfig",
                "eks:UpdateNodegroupVersion",
                "eks:DescribeAddon",
                "eks:DescribeAddonVersions",
                "eks:ListAddons",
                "eks:UpdateAddon",
                "eks:AccessKubernetesApi",
                "eks:ListAccessPolicies",
                "eks:AssociateAccessPolicy",
                "eks:ListIdentityProviderConfigs",
                "eks:DescribeAccessEntry",
                "eks:ListPodIdentityAssociations",
                "eks:ListAssociatedAccessPolicies",
                "eks:CreateAccessEntry"  
            ],
            "_comment": "Change the below Resource to specific cluster - arn:aws:eks:region:account-id:cluster/cluster-name",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ssm:ListAssociations",
                "ssm:GetParametersByPath"
            ],
            "Resource": "*"
        }
    ]
}

1. Amazon EC2 (Elastic Compute Cloud)

  • Instance Management

    • ec2:RunInstances

    • ec2:DescribeInstances

    • ec2:DescribeInstanceTypes

    • ec2:DescribeInstanceStatus

    • ec2:StopInstances

    • ec2:TerminateInstances

    • ec2:ModifyInstanceAttribute

  • Network and Security

    • ec2:DescribeSubnets

    • ec2:DescribeVpcs

    • ec2:DescribeVpcAttribute

    • ec2:DescribeSecurityGroups

    • ec2:AuthorizeSecurityGroupIngress

    • ec2:CreateSecurityGroup

    • ec2:RevokeSecurityGroupIngress

    • ec2:DeleteSecurityGroup

    • ec2:DescribeSecurityGroupRules

  • Resource Tagging and Metadata

    • ec2:CreateTags

  • Others

    • ec2:DescribeKeyPairs

    • ec2:DescribeImages

    • ec2:DescribeImageAttribute

    • ec2:DescribeAvailabilityZones

    • ec2:DescribeAccountAttributes

    • ec2:DescribeRouteTables

    • ec2:DescribeNetworkAcls

    • ec2:DescribeAddresses

    • ec2:DescribeDhcpOptions

    • ec2:DescribeSnapshots

2. Amazon S3 (Simple Storage Service)

  • Object Operations

    • s3:GetObject

    • s3:PutObject

3. Amazon CloudFormation

  • Stack Operations

    • cloudformation:CreateStack

    • cloudformation:UpdateStack

    • cloudformation:CreateUploadBucket

    • cloudformation:DescribeStackEvents

    • cloudformation:DescribeStacks

    • cloudformation:GetTemplateSummary

    • cloudformation:ListStacks

    • cloudformation:ListStackResources

    • cloudformation:DeleteStack

4. AWS IAM (Identity and Access Management)

  • Role Management

    • iam:CreateRole

    • iam:DeleteRole

    • iam:ListRoles

    • iam:TagRole

    • iam:PutRolePolicy

    • iam:DeleteRolePolicy

    • iam:GetRole

    • iam:ListAttachedRolePolicies

    • iam:AttachRolePolicy

  • Instance Profile Operations

    • iam:CreateInstanceProfile

    • iam:AddRoleToInstanceProfile

    • iam:RemoveRoleFromInstanceProfile

    • iam:DeleteInstanceProfile

  • Policy Management

    • iam:ListPolicies

    • iam:PassRole

  • Other

    • iam:ListOpenIDConnectProviders

    • iam:GetOpenIDConnectProvider

    • iam:ListEntitiesForPolicy

    • iam:CreateServiceLinkedRole

    • iam:ListInstanceProfiles

    • iam:ListInstanceProfilesForRole

5. Amazon EKS (Elastic Kubernetes Service)

  • Cluster Operations

    • eks:DescribeCluster

    • eks:ListClusters

    • eks:UpdateClusterConfig

    • eks:UpdateClusterVersion

  • Nodegroup Operations

    • eks:CreateNodegroup

    • eks:DescribeNodegroup

    • eks:ListNodegroups

    • eks:UpdateNodegroupConfig

    • eks:UpdateNodegroupVersion

  • Addon Operations

    • eks:DescribeAddon

    • eks:DescribeAddonVersions

    • eks:ListAddons

    • eks:UpdateAddon

  • API Access and Policy Management

    • eks:AccessKubernetesApi

    • eks:ListAccessPolicies

    • eks:AssociateAccessPolicy

    • eks:ListIdentityProviderConfigs

    • eks:DescribeAccessEntry

    • eks:ListPodIdentityAssociations

    • eks:ListAssociatedAccessPolicies

    • eks:CreateAccessEntry

6. AWS SSM (System Manager)

  • Association Operations

    • ssm:ListAssociationsssm:GetParametersByPath

    • Code Block
      AWSTemplateFormatVersion: '2010-09-09'
      Description: Create IAM roles and policies for Controllers and Workers
      
      Resources:
        ExostellarControllerRole:
          Type: 'AWS::IAM::Role'
          Properties:
            AssumeRolePolicyDocument:
              Version: '2012-10-17'
              Statement:
                - Effect: Allow
                  Principal:
                    Service: ec2.amazonaws.com
                  Action: 'sts:AssumeRole'
            Policies:
              - PolicyName: ExostellarControllerPolicy
                PolicyDocument: |
                  {
                    "Version": "2012-10-17",
                    "Statement": [
                      {
                        "Effect": "Allow",
                        "Action": [
                          "ec2:RunInstances",
                          "ec2:StopInstances",
                          "ec2:DescribeSpotPriceHistory",
                          "ec2:DescribeInstances",
                          "ec2:DescribeInstanceTypes",
                          "ec2:DescribeTags",
                          "ec2:CreateTags",
                          "ec2:CreateFleet",
                          "ec2:CreateLaunchTemplate",
                          "ec2:DeleteLaunchTemplate",
                          "ec2:TerminateInstances",
                          "ec2:AssignPrivateIpAddresses",
                          "ec2:UnassignPrivateIpAddresses",
                          "ec2:AttachNetworkInterface",
                          "ec2:DetachNetworkInterface",
                          "ec2:CreateNetworkInterface",
                          "ec2:DeleteNetworkInterface",
                          "ec2:ModifyNetworkInterfaceAttribute",
                          "ec2:DescribeRegions",
                          "ec2:CreateVolume",
                          "ec2:DescribeVolumes",
                          "ec2:AttachVolume",
                          "ec2:ModifyInstanceAttribute",
                          "ec2:DetachVolume",
                          "ec2:DeleteVolume",
                          "ec2:CreateInstanceExportTask",
                          "ec2:DescribeExportTasks",
                          "ec2:RebootInstances",
                          "ec2:CreateSnapshot",
                          "ec2:DescribeSnapshots",
                          "iam:CreateServiceLinkedRole",
                          "iam:ListRoles",
                          "iam:ListInstanceProfiles",
                          "iam:PassRole",
                          "iam:GetRole",
                          "ec2:DescribeSubnets",
                          "ec2:DescribeSecurityGroups",
                          "ec2:DescribeImages",
                          "ec2:DescribeKeyPairs",
                          "ec2:DescribeInstanceTypeOfferings",
                          "iam:GetInstanceProfile",
                          "iam:SimulatePrincipalPolicy",
                          "sns:Publish",
                          "ssm:GetParameters",
                          "ssm:GetParametersByPath"
                        ],
                        "Resource": "*"
                      },
                      {
                        "Effect": "Allow",
                        "Action": [
                          "eks:DescribeCluster"
                        ],
                        "Resource": "*"
                      }
                    ]
                  }
            Tags:
              - Key: "Name"
                Value: !Sub "${AWS::StackName}-controller-role"
      
        ExostellarControllerProfile:
          Type: 'AWS::IAM::InstanceProfile'
          Properties:
            Roles:
              - !Ref ExostellarControllerRole
      
        ExostellarWorkerRole:
          Type: 'AWS::IAM::Role'
          Properties:
            AssumeRolePolicyDocument:
              Version: '2012-10-17'
              Statement:
                - Effect: Allow
                  Principal:
                    Service: ec2.amazonaws.com
                  Action: 'sts:AssumeRole'
            Policies:
              - PolicyName: ExostellarWorkerPolicy
                PolicyDocument: |
                  {
                    "Version": "2012-10-17",
                    "Statement": [
                      {
                        "Effect": "Deny",
                        "Action": [
                          "ec2:UnassignPrivateIpAddresses"
                        ],
                        "Resource": "*"
                      },
                      {
                        "Effect": "Allow",
                        "Action": [
                          "ec2:ModifyInstanceMetadataOptions",
                          "eks:DescribeCluster"
                        ],
                        "Resource": "*"
                      }
                    ]
                  }
            Tags:
              - Key: "Name"
                Value: !Sub "${AWS::StackName}-worker-role"
            ManagedPolicyArns:
              - "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
              - "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
              - "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
              - "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"
              - "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy"
      
        ExostellarWorkerProfile:
          Type: 'AWS::IAM::InstanceProfile'
          Properties:
            Roles:
              - !Ref ExostellarWorkerRole
      
      Outputs:
        ExostellarControllerRoleARN:
          Description: ARN of the Controller IAM Role. This will be used in the ConfigMap.
          Value: !GetAtt ExostellarControllerRole.Arn
      
        ExostellarControllerRoleInstanceProfileARN:
          Description: Instance Profile ARN of the Controller IAM Role. This will be used in the Profile Configuration.
          Value: !GetAtt ExostellarControllerProfile.Arn
      
        ExostellarWorkerRoleARN:
          Description: ARN of the Exostellar Worker Role. This will be used in the ConfigMap.
          Value: !GetAtt ExostellarWorkerRole.Arn
      
        ExostellarWorkerRoleInstanceProfileARN:
          Description: Instance Profile ARN of the Worker IAM Role. This will be used in the Profile Configuration.
          Value: !GetAtt ExostellarWorkerProfile.Arn

      ssm:GetParametersByPath

Expand
titleController and Worker IAM Roles
Code Block
languageyaml
AWSTemplateFormatVersion: '2010-09-09'
Description: Create IAM roles and policies for Controllers and Workers

Resources:
  ExostellarControllerRole:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service: ec2.amazonaws.com
            Action: 'sts:AssumeRole'
      Policies:
        - PolicyName: ExostellarControllerPolicy
          PolicyDocument: |
            {
              "Version": "2012-10-17",
              "Statement": [
                {
                  "Effect": "Allow",
                  "Action": [
                    "ec2:RunInstances",
                    "ec2:StopInstances",
                    "ec2:DescribeSpotPriceHistory",
                    "ec2:DescribeInstances",
                    "ec2:DescribeInstanceTypes",
                    "ec2:DescribeTags",
                    "ec2:CreateTags",
                    "ec2:CreateFleet",
                    "ec2:CreateLaunchTemplate",
                    "ec2:DeleteLaunchTemplate",
                    "ec2:TerminateInstances",
                    "ec2:AssignPrivateIpAddresses",
                    "ec2:UnassignPrivateIpAddresses",
                    "ec2:AttachNetworkInterface",
                    "ec2:DetachNetworkInterface",
                    "ec2:CreateNetworkInterface",
                    "ec2:DeleteNetworkInterface",
                    "ec2:ModifyNetworkInterfaceAttribute",
                    "ec2:DescribeRegions",
                    "ec2:CreateVolume",
                    "ec2:DescribeVolumes",
                    "ec2:AttachVolume",
                    "ec2:ModifyInstanceAttribute",
                    "ec2:DetachVolume",
                    "ec2:DeleteVolume",
                    "ec2:CreateInstanceExportTask",
                    "ec2:DescribeExportTasks",
                    "ec2:RebootInstances",
                    "ec2:CreateSnapshot",
                    "ec2:DescribeSnapshots",
                    "iam:CreateServiceLinkedRole",
                    "iam:ListRoles",
                    "iam:ListInstanceProfiles",
                    "iam:PassRole",
                    "iam:GetRole",
                    "ec2:DescribeSubnets",
                    "ec2:DescribeSecurityGroups",
                    "ec2:DescribeImages",
                    "ec2:DescribeKeyPairs",
                    "ec2:DescribeInstanceTypeOfferings",
                    "iam:GetInstanceProfile",
                    "iam:SimulatePrincipalPolicy",
                    "sns:Publish",
                    "ssm:GetParameters",
                    "ssm:GetParametersByPath"
                  ],
                  "Resource": "*"
                },
                {
                  "Effect": "Allow",
                  "Action": [
                    "eks:DescribeCluster"
                  ],
                  "Resource": "*"
                }
              ]
            }
      Tags:
        - Key: "Name"
          Value: !Sub "${AWS::StackName}-controller-role"

  ExostellarControllerProfile:
    Type: 'AWS::IAM::InstanceProfile'
    Properties:
      Roles:
        - !Ref ExostellarControllerRole

  ExostellarWorkerRole:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service: ec2.amazonaws.com
            Action: 'sts:AssumeRole'
      Policies:
        - PolicyName: ExostellarWorkerPolicy
          PolicyDocument: |
            {
              "Version": "2012-10-17",
              "Statement": [
                {
                  "Effect": "Deny",
                  "Action": [
                    "ec2:UnassignPrivateIpAddresses"
                  ],
                  "Resource": "*"
                },
                {
                  "Effect": "Allow",
                  "Action": [
                    "ec2:ModifyInstanceMetadataOptions",
                    "eks:DescribeCluster"
                  ],
                  "Resource": "*"
                }
              ]
            }
      Tags:
        - Key: "Name"
          Value: !Sub "${AWS::StackName}-worker-role"
      ManagedPolicyArns:
        - "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
        - "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
        - "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
        - "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"
        - "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy"

  ExostellarWorkerProfile:
    Type: 'AWS::IAM::InstanceProfile'
    Properties:
      Roles:
        - !Ref ExostellarWorkerRole

Outputs:
  ExostellarControllerRoleARN:
    Description: ARN of the Controller IAM Role. This will be used in the ConfigMap.
    Value: !GetAtt ExostellarControllerRole.Arn

  ExostellarControllerRoleInstanceProfileARN:
    Description: Instance Profile ARN of the Controller IAM Role. This will be used in the Profile Configuration.
    Value: !GetAtt ExostellarControllerProfile.Arn

  ExostellarWorkerRoleARN:
    Description: ARN of the Exostellar Worker Role. This will be used in the ConfigMap.
    Value: !GetAtt ExostellarWorkerRole.Arn

  ExostellarWorkerRoleInstanceProfileARN:
    Description: Instance Profile ARN of the Worker IAM Role. This will be used in the Profile Configuration.
    Value: !GetAtt ExostellarWorkerProfile.Arn