Versions Compared

Old Version 96

changes.mady.by.user Yajing Wang

Saved on

compared with

New Version 97

changes.mady.by.user Ivan Sim (Unlicensed)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Welcome to your first step towards cloud efficiency and savings with Infrastructure Optimizer!

Before you begin, use this checklist to confirm your environment satisfies the specifications required to operate Infrastructure Optimizer.

Network
Anchor
Network
Network

Component

Requirements

VPC

Contains at least one private subnet. Check with this command:

Code Block
languagebash
aws ec2 describe-subnets --filter Name=vpc-id,Values=<YOUR VPC ID> --query 'Subnets[?MapPublicIpOnLaunch==`false`].SubnetId'

NAT Gateway

Has a NAT Gateway with public connectivity. Verify with this command:

Code Block
languagebash
aws ec2 describe-nat-gateways --filter Name=vpc-id,Values=<YOUR VPC ID> | jq '.NatGateways[] | {NatGatewayId, ConnectivityType}'

Security
Anchor
Security
Security

Component

Details

SSH Key

This will be used to attach to the Management Server.

Trusted Certificate

Required only if deploying in a private environment.

Compute
Anchor
Compute
Compute

Component

Requirements

Operating System

Using Linux variants.

Permissions
Anchor
Permissions
Permissions

We understand that cloud control and security are important to you.

To use Infrastructure Optimizer and start saving right away, you must create the following least-privilege IAM roles:

...

titleUser IAM Role

This policy needs to be attached to the user who performs the installation and operation.

...

Least privilege IAM policies

...

Explanation

Installations And Deployment

The AWS IAM principal used to install Infrastructure Optimizer must have the following permissions:

Code Block
languagejson
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:RunInstances",
                "ec2:DescribeInstances",
                "ec2:DescribeInstanceTypes",
                "ec2:DescribeInstanceStatus",
                "ec2:StopInstances",
                "ec2:TerminateInstances",
                "ec2:ModifyInstanceAttribute",
                "ec2:DescribeSubnets",
                "ec2:DescribeVpcs",
                "ec2:DescribeVpcAttribute",
                "ec2:DescribeSecurityGroups",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:CreateSecurityGroup",
                "ec2:RevokeSecurityGroupIngress",
                "ec2:DeleteSecurityGroup",
                "ec2:DescribeSecurityGroupRules",
                "ec2:CreateTags",
                "ec2:DescribeKeyPairs",
                "ec2:DescribeImages",
                "ec2:DescribeImageAttribute",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeAccountAttributes",
                "ec2:DescribeRouteTables",
                "ec2:DescribeNetworkAcls",
                "ec2:DescribeAddresses",
                "ec2:DescribeDhcpOptions",
                "ec2:DescribeSnapshots"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::cf-template*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "cloudformation:CreateStack",
                "cloudformation:UpdateStack",
                "cloudformation:CreateUploadBucket",
                "cloudformation:DescribeStackEvents",
                "cloudformation:DescribeStacks",
                "cloudformation:GetTemplateSummary",
                "cloudformation:ListStacks",
                "cloudformation:ListStackResources",
                "cloudformation:DeleteStack"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:CreateRole",
                "iam:DeleteRole",
                "iam:ListRoles",
                "iam:TagRole",
                "iam:PutRolePolicy",
                "iam:DeleteRolePolicy",
                "iam:GetRole",
                "iam:ListAttachedRolePolicies",
                "iam:CreateInstanceProfile",
                "iam:AddRoleToInstanceProfile",
                "iam:RemoveRoleFromInstanceProfile",
                "iam:DeleteInstanceProfile",
                "iam:ListPolicies",
                "iam:PassRole",
                "iam:ListOpenIDConnectProviders",
                "iam:GetOpenIDConnectProvider",
                "iam:ListEntitiesForPolicy",
                "iam:CreateServiceLinkedRole",
                "iam:ListInstanceProfiles",
                "iam:ListInstanceProfilesForRole",
                "iam:AttachRolePolicy" 
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "eks:DescribeCluster",
                "eks:ListClusters",
                "eks:UpdateClusterConfig",
                "eks:UpdateClusterVersion",
                "eks:CreateNodegroup",
                "eks:DescribeNodegroup",
                "eks:ListNodegroups",
                "eks:UpdateNodegroupConfig",
                "eks:UpdateNodegroupVersion",
                "eks:DescribeAddon",
                "eks:DescribeAddonVersions",
                "eks:ListAddons",
                "eks:UpdateAddon",
                "eks:AccessKubernetesApi",
                "eks:ListAccessPolicies",
                "eks:AssociateAccessPolicy",
                "eks:ListIdentityProviderConfigs",
                "eks:DescribeAccessEntry",
                "eks:ListPodIdentityAssociations",
                "eks:ListAssociatedAccessPolicies",
                "eks:CreateAccessEntry"  
            ],
            "_comment": "Change the below Resource to specific cluster - arn:aws:eks:region:account-id:cluster/cluster-name",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ssm:ListAssociations",
                "ssm:GetParametersByPath"
            ],
            "Resource": "*"
        }
    ]
}
Expand
titleExpand this section to view a detailed explanation of the scope of each IAM permission

1. Amazon EC2 (Elastic Compute Cloud)

  • Instance Management

    • ec2:RunInstances

    • ec2:DescribeInstances

    • ec2:DescribeInstanceTypes

    • ec2:DescribeInstanceStatus

    • ec2:StopInstances

    • ec2:TerminateInstances

    • ec2:ModifyInstanceAttribute

  • Network and Security

    • ec2:DescribeSubnets

    • ec2:DescribeVpcs

    • ec2:DescribeVpcAttribute

    • ec2:DescribeSecurityGroups

    • ec2:AuthorizeSecurityGroupIngress

    • ec2:CreateSecurityGroup

    • ec2:RevokeSecurityGroupIngress

    • ec2:DeleteSecurityGroup

    • ec2:DescribeSecurityGroupRules

  • Resource Tagging and Metadata

    • ec2:CreateTags

  • Others

    • ec2:DescribeKeyPairs

    • ec2:DescribeImages

    • ec2:DescribeImageAttribute

    • ec2:DescribeAvailabilityZones

    • ec2:DescribeAccountAttributes

    • ec2:DescribeRouteTables

    • ec2:DescribeNetworkAcls

    • ec2:DescribeAddresses

    • ec2:DescribeDhcpOptions

    • ec2:DescribeSnapshots

2. Amazon S3 (Simple Storage Service)

  • Object Operations

    • s3:GetObject

    • s3:PutObject

3. Amazon CloudFormation

  • Stack Operations

    • cloudformation:CreateStack

    • cloudformation:UpdateStack

    • cloudformation:CreateUploadBucket

    • cloudformation:DescribeStackEvents

    • cloudformation:DescribeStacks

    • cloudformation:GetTemplateSummary

    • cloudformation:ListStacks

    • cloudformation:ListStackResources

    • cloudformation:DeleteStack

4. AWS IAM (Identity and Access Management)

  • Role Management

    • iam:CreateRole

    • iam:DeleteRole

    • iam:ListRoles

    • iam:TagRole

    • iam:PutRolePolicy

    • iam:DeleteRolePolicy

    • iam:GetRole

    • iam:ListAttachedRolePolicies

    • iam:AttachRolePolicy

  • Instance Profile Operations

    • iam:CreateInstanceProfile

    • iam:AddRoleToInstanceProfile

    • iam:RemoveRoleFromInstanceProfile

    • iam:DeleteInstanceProfile

  • Policy Management

    • iam:ListPolicies

    • iam:PassRole

  • Other

    • iam:ListOpenIDConnectProviders

    • iam:GetOpenIDConnectProvider

    • iam:ListEntitiesForPolicy

    • iam:CreateServiceLinkedRole

    • iam:ListInstanceProfiles

    • iam:ListInstanceProfilesForRole

5. Amazon EKS (Elastic Kubernetes Service)

  • Cluster Operations

    • eks:DescribeCluster

    • eks:ListClusters

    • eks:UpdateClusterConfig

    • eks:UpdateClusterVersion

  • Nodegroup Operations

    • eks:CreateNodegroup

    • eks:DescribeNodegroup

    • eks:ListNodegroups

    • eks:UpdateNodegroupConfig

    • eks:UpdateNodegroupVersion

  • Addon Operations

    • eks:DescribeAddon

    • eks:DescribeAddonVersions

    • eks:ListAddons

    • eks:UpdateAddon

  • API Access and Policy Management

    • eks:AccessKubernetesApi

    • eks:ListAccessPolicies

    • eks:AssociateAccessPolicy

    • eks:ListIdentityProviderConfigs

    • eks:DescribeAccessEntry

    • eks:ListPodIdentityAssociations

    • eks:ListAssociatedAccessPolicies

    • eks:CreateAccessEntry

6. AWS SSM (System Manager)

  • Association Operations

    • ssm:ListAssociations

    • Code Block
      AWSTemplateFormatVersion: '2010-09-09'
Description: Create IAM roles and policies for Controllers and Workers

Resources:
  ExostellarControllerRole:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service: ec2.amazonaws.com
            Action: 'sts:AssumeRole'
      Policies:
        - PolicyName: ExostellarControllerPolicy
          PolicyDocument: |
            {
              "Version": "2012-10-17",
              "Statement": [
                {
                  "Effect": "Allow",
                  "Action": [
                    "ec2:RunInstances",
                    "ec2:StopInstances",
                    "ec2:DescribeSpotPriceHistory",
                    "ec2:DescribeInstances",
                    "ec2:DescribeInstanceTypes",
                    "ec2:DescribeTags",
                    "ec2:CreateTags",
                    "ec2:CreateFleet",
                    "ec2:CreateLaunchTemplate",
                    "ec2:DeleteLaunchTemplate",
                    "ec2:TerminateInstances",
                    "ec2:AssignPrivateIpAddresses",
                    "ec2:UnassignPrivateIpAddresses",
                    "ec2:AttachNetworkInterface",
                    "ec2:DetachNetworkInterface",
                    "ec2:CreateNetworkInterface",
                    "ec2:DeleteNetworkInterface",
                    "ec2:ModifyNetworkInterfaceAttribute",
                    "ec2:DescribeRegions",
                    "ec2:CreateVolume",
                    "ec2:DescribeVolumes",
                    "ec2:AttachVolume",
                    "ec2:ModifyInstanceAttribute",
                    "ec2:DetachVolume",
                    "ec2:DeleteVolume",
                    "ec2:CreateInstanceExportTask",
                    "ec2:DescribeExportTasks",
                    "ec2:RebootInstances",
                    "ec2:CreateSnapshot",
                    "ec2:DescribeSnapshots",
                    "iam:CreateServiceLinkedRole",
                    "iam:ListRoles",
                    "iam:ListInstanceProfiles",
                    "iam:PassRole",
                    "iam:GetRole",
                    "ec2:DescribeSubnets",
                    "ec2:DescribeSecurityGroups",
                    "ec2:DescribeImages",
                    "ec2:DescribeKeyPairs",
                    "ec2:DescribeInstanceTypeOfferings",
                    "iam:GetInstanceProfile",
                    "iam:SimulatePrincipalPolicy",
                    "sns:Publish",
                    "ssm:GetParameters",
                    "ssm:GetParametersByPath"
                  ],
                  "Resource": "*"
                },
                {
                  "Effect": "Allow",
                  "Action": [
                    "eks:DescribeCluster"
                  ],
                  "Resource": "*"
                }
              ]
            }
      Tags:
        - Key: "Name"
          Value: !Sub "${AWS::StackName}-controller-role"

  ExostellarControllerProfile:
    Type: 'AWS::IAM::InstanceProfile'
    Properties:
      Roles:
        - !Ref ExostellarControllerRole

  ExostellarWorkerRole:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service: ec2.amazonaws.com
            Action: 'sts:AssumeRole'
      Policies:
        - PolicyName: ExostellarWorkerPolicy
          PolicyDocument: |
            {
              "Version": "2012-10-17",
              "Statement": [
                {
                  "Effect": "Deny",
                  "Action": [
                    "ec2:UnassignPrivateIpAddresses"
                  ],
                  "Resource": "*"
                },
                {
                  "Effect": "Allow",
                  "Action": [
                    "ec2:ModifyInstanceMetadataOptions",
                    "eks:DescribeCluster"
                  ],
                  "Resource": "*"
                }
              ]
            }
      Tags:
        - Key: "Name"
          Value: !Sub "${AWS::StackName}-worker-role"
      ManagedPolicyArns:
        - "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
        - "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
        - "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
        - "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"
        - "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy"

  ExostellarWorkerProfile:
    Type: 'AWS::IAM::InstanceProfile'
    Properties:
      Roles:
        - !Ref ExostellarWorkerRole

Outputs:
  ExostellarControllerRoleARN:
    Description: ARN of the Controller IAM Role. This will be used in the ConfigMap.
    Value: !GetAtt ExostellarControllerRole.Arn

  ExostellarControllerRoleInstanceProfileARN:
    Description: Instance Profile ARN of the Controller IAM Role. This will be used in the Profile Configuration.
    Value: !GetAtt ExostellarControllerProfile.Arn

  ExostellarWorkerRoleARN:
    Description: ARN of the Exostellar Worker Role. This will be used in the ConfigMap.
    Value: !GetAtt ExostellarWorkerRole.Arn

  ExostellarWorkerRoleInstanceProfileARN:
    Description: Instance Profile ARN of the Worker IAM Role. This will be used in the Profile Configuration.
    Value: !GetAtt ExostellarWorkerProfile.Arn

      ssm:GetParametersByPath

Expand
titleController and Worker IAM Roles

EC2 Instance Profile

The X-Spot controllers and workers require a set of IAM permissions to manage and scale your workloads efficiently. Use this CloudFormation template to create the

...

EC2 instance profiles.

When completed, the roles and instance profile ARNs output by CloudFormation will be needed for subsequent installation steps

Code Block
AWSTemplateFormatVersion: '2010-09-09'
Description: Create IAM roles and policies for Controllers and Workers

Resources:
  ExostellarControllerRole:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service: ec2.amazonaws.com
            Action: 'sts:AssumeRole'
      Policies:
        - PolicyName: ExostellarControllerPolicy
          PolicyDocument: |
            {
              "Version": "2012-10-17",
              "Statement": [
                {
                  "Effect": "Allow",
                  "Action": [
                    "ec2:RunInstances",
                    "ec2:StopInstances",
                    "ec2:DescribeSpotPriceHistory",
                    "ec2:DescribeInstances",
                    "ec2:DescribeInstanceTypes",
                    "ec2:DescribeTags",
                    "ec2:CreateTags",
                    "ec2:CreateFleet",
                    "ec2:CreateLaunchTemplate",
                    "ec2:DeleteLaunchTemplate",
                    "ec2:TerminateInstances",
                    "ec2:AssignPrivateIpAddresses",
                    "ec2:UnassignPrivateIpAddresses",
                    "ec2:AttachNetworkInterface",
                    "ec2:DetachNetworkInterface",
                    "ec2:CreateNetworkInterface",
                    "ec2:DeleteNetworkInterface",
                    "ec2:ModifyNetworkInterfaceAttribute",
                    "ec2:DescribeRegions",
                    "ec2:CreateVolume",
                    "ec2:DescribeVolumes",
                    "ec2:AttachVolume",
                    "ec2:ModifyInstanceAttribute",
                    "ec2:DetachVolume",
                    "ec2:DeleteVolume",
                    "ec2:CreateInstanceExportTask",
                    "ec2:DescribeExportTasks",
                    "ec2:RebootInstances",
                    "ec2:CreateSnapshot",
                    "ec2:DescribeSnapshots",
                    "iam:CreateServiceLinkedRole",
                    "iam:ListRoles",
                    "iam:ListInstanceProfiles",
                    "iam:PassRole",
                    "iam:GetRole",
                    "ec2:DescribeSubnets",
                    "ec2:DescribeSecurityGroups",
                    "ec2:DescribeImages",
                    "ec2:DescribeKeyPairs",
                    "ec2:DescribeInstanceTypeOfferings",
                    "iam:GetInstanceProfile",
                    "iam:SimulatePrincipalPolicy",
                    "sns:Publish",
                    "ssm:GetParameters",
                    "ssm:GetParametersByPath"
                  ],
                  "Resource": "*"
                },
                {
                  "Effect": "Allow",
                  "Action": [
                    "eks:DescribeCluster"
                  ],
                  "Resource": "*"
                }
              ]
            }
      Tags:
        - Key: "Name"
          Value: !Sub "${AWS::StackName}-controller-role"

  ExostellarControllerProfile:
    Type: 'AWS::IAM::InstanceProfile'
    Properties:
      Roles:
        - !Ref ExostellarControllerRole

  ExostellarWorkerRole:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service: ec2.amazonaws.com
            Action: 'sts:AssumeRole'
      Policies:
        - PolicyName: ExostellarWorkerPolicy
          PolicyDocument: |
            {
              "Version": "2012-10-17",
              "Statement": [
                {
                  "Effect": "Deny",
                  "Action": [
                    "ec2:UnassignPrivateIpAddresses"
                  ],
                  "Resource": "*"
                },
                {
                  "Effect": "Allow",
                  "Action": [
                    "ec2:ModifyInstanceMetadataOptions",
                    "eks:DescribeCluster"
                  ],
                  "Resource": "*"
                }
              ]
            }
      Tags:
        - Key: "Name"
          Value: !Sub "${AWS::StackName}-worker-role"
      ManagedPolicyArns:
        - "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
        - "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
        - "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
        - "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"
        - "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy"

  ExostellarWorkerProfile:
    Type: 'AWS::IAM::InstanceProfile'
    Properties:
      Roles:
        - !Ref ExostellarWorkerRole

Outputs:
  ExostellarControllerRoleARN:
    Description: ARN of the Controller IAM Role. This will be used in the ConfigMap.
    Value: !GetAtt ExostellarControllerRole.Arn

  ExostellarControllerRoleInstanceProfileARN:
    Description: Instance Profile ARN of the Controller IAM Role. This will be used in the Profile Configuration.
    Value: !GetAtt ExostellarControllerProfile.Arn

  ExostellarWorkerRoleARN:
    Description: ARN of the Exostellar Worker Role. This will be used in the ConfigMap.
    Value: !GetAtt ExostellarWorkerRole.Arn

  ExostellarWorkerRoleInstanceProfileARN:
    Description: Instance Profile ARN of the Worker IAM Role. This will be used in the Profile Configuration.
    Value: !GetAtt ExostellarWorkerProfile.Arn