Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Welcome to your first step towards cloud efficiency and savings with Infrastructure Optimizer. By following our setup checklist, you'll enable Infrastructure Optimizer to operate smoothly in your environment.

Environment Prerequisites Overview

...

Component

...

Section Link

...

VPC

...

Network

...

Certificate

...

Security

...

IAM Roles

...

Permissions

...

EKS Cluster

...

Cluster Requirements

...

titleNetwork Checklist

...

Component

...

Requirements

...

VPC

...

  • Please specify an IPv4 CIDR block range other than 192.168.137.0/24

  • It contains at least one private subnet

...

NAT Gateway

...

  • The connectivity type is public

Security

...

titleSecurity Checklist

...

Component

...

Details

...

SSH Key

...

  • This will be used to attach to the Management Server

...

Trusted Certificate

...

  • To make the installation accessible to your organization

Compute

...

titleCompute Platform Checklist

...

Component

...

Requirements

...

Operating System

...

  • Linux variants

Permissions

We understand that cloud control and security are essential to you. In order to install Infrastructure Optimizer and start saving right away, we need your help to set up the right permissions for Infrastructure Optimizer to operate. For seamless operation and integration with AWS services, the following IAM roles with specific permissions are required:

  • User IAM Role

...

titleLeast privilege IAM policies of users
Info

This is for users who install and use the product.

...

Least privilege IAM policies

...

Explanation

...

Expand
titleLeast privilege IAM policies
Code Block
languagejson
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:RunInstances",
                "ec2:DescribeInstances",
                "ec2:DescribeInstanceTypes",
                "ec2:DescribeInstanceStatus",
                "ec2:StopInstances",
                "ec2:TerminateInstances",
                "ec2:ModifyInstanceAttribute",
                "ec2:DescribeSubnets",
                "ec2:DescribeVpcs",
                "ec2:DescribeVpcAttribute",
                "ec2:DescribeSecurityGroups",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:CreateSecurityGroup",
                "ec2:RevokeSecurityGroupIngress",
                "ec2:DeleteSecurityGroup",
                "ec2:DescribeSecurityGroupRules",
                "ec2:CreateTags",
                "ec2:DescribeKeyPairs",
                "ec2:DescribeImages",
                "ec2:DescribeImageAttribute",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeAccountAttributes",
                "ec2:DescribeRouteTables",
                "ec2:DescribeNetworkAcls",
                "ec2:DescribeAddresses",
                "ec2:DescribeDhcpOptions",
                "ec2:DescribeSnapshots"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::cf-template*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "cloudformation:CreateStack",
                "cloudformation:UpdateStack",
                "cloudformation:CreateUploadBucket",
                "cloudformation:DescribeStackEvents",
                "cloudformation:DescribeStacks",
                "cloudformation:GetTemplateSummary",
                "cloudformation:ListStacks",
                "cloudformation:ListStackResources",
                "cloudformation:DeleteStack"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:CreateRole",
                "iam:DeleteRole",
                "iam:ListRoles",
                "iam:TagRole",
                "iam:PutRolePolicy",
                "iam:DeleteRolePolicy",
                "iam:GetRole",
                "iam:ListAttachedRolePolicies",
                "iam:CreateInstanceProfile",
                "iam:AddRoleToInstanceProfile",
                "iam:RemoveRoleFromInstanceProfile",
                "iam:DeleteInstanceProfile",
                "iam:ListPolicies",
                "iam:PassRole",
                "iam:ListOpenIDConnectProviders",
                "iam:GetOpenIDConnectProvider",
                "iam:ListEntitiesForPolicy",
                "iam:CreateServiceLinkedRole",
                "iam:ListInstanceProfiles",
                "iam:ListInstanceProfilesForRole",
                "iam:AttachRolePolicy" 
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "eks:DescribeCluster",
                "eks:ListClusters",
                "eks:UpdateClusterConfig",
                "eks:UpdateClusterVersion",
                "eks:CreateNodegroup",
                "eks:DescribeNodegroup",
                "eks:ListNodegroups",
                "eks:UpdateNodegroupConfig",
                "eks:UpdateNodegroupVersion",
                "eks:DescribeAddon",
                "eks:DescribeAddonVersions",
                "eks:ListAddons",
                "eks:UpdateAddon",
                "eks:AccessKubernetesApi",
                "eks:ListAccessPolicies",
                "eks:AssociateAccessPolicy",
                "eks:ListIdentityProviderConfigs",
                "eks:DescribeAccessEntry",
                "eks:ListPodIdentityAssociations",
                "eks:ListAssociatedAccessPolicies",
                "eks:CreateAccessEntry"  
            ],
            "_comment": "Change the below Resource to specific cluster - arn:aws:eks:region:account-id:cluster/cluster-name",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ssm:ListAssociations",
                "ssm:GetParametersByPath"
            ],
            "Resource": "*"
        }
    ]
}

...

Before you begin, use this checklist to confirm that your environment satisfies the specifications required to operate Infrastructure Optimizer.

Info

The pre-check commands will require the IAM principal to have at least the ec2:Describe* permissions

Network

By default, Infrastructure Optimizer schedules workload in private subnets to protect them from direct external accesses.

Use the following commands to ensure that the AWS VPC where Infrastructure Optimizer will run has at least one private subnet with public NAT Gateways.

Check private subnets that are suitable for running the Infrastructure Optimizer workload Workers:

Code Block
aws ec2 describe-subnets --filter Name=vpc-id,Values=<vpc_id> --query 'Subnets[?MapPublicIpOnLaunch==`false`].SubnetId'

Check whether there is a public NAT Gateway attached:

Code Block
languagebash
aws ec2 describe-nat-gateways --filter Name=vpc-id,Values=<vpc_id> --output json | jq '.NatGateways[] | {NatGatewayId, SubnetId, ConnectivityType}'

If no private subnets exist, follow the AWS documentation to create a private subnet and a public NAT Gateway.

Info

EKS only: the Infrastructure Optimizer must run in the same VPC as the EKS cluster

Security

A pre-provisioned, user-managed SSH key pair is required to access the Infrastructure Optimizer Management Server.

Info

OPTIONAL: Follow the AWS EC2 documentation to generate a SSH key pair.

For environments with existing PKI setup, the x509 certificates, private key, and optionally, intermediate chain certificates and CA certificates will also be needed.

Compute

Infrastructure Optimizer runs on the following OSes:

  • Rocky Linux

Permissions

Installations and Deployment

The following file contains the minimum IAM permissions required by the AWS IAM principal used to install Infrastructure Optimizer:

View file
namexio-installer-iam.json

Expand
titleExpand this section to view a detailed explanation of each IAM permission

1. Amazon EC2 (Elastic Compute Cloud)

  • Instance Management

    • ec2:RunInstances

    • ec2:DescribeInstances

    • ec2:DescribeInstanceTypes

    • ec2:DescribeInstanceStatus

    • ec2:StopInstances

    • ec2:TerminateInstances

    • ec2:ModifyInstanceAttribute

  • Network and Security

    • ec2:DescribeSubnets

    • ec2:DescribeVpcs

    • ec2:DescribeVpcAttribute

    • ec2:DescribeSecurityGroups

    • ec2:AuthorizeSecurityGroupIngress

    • ec2:CreateSecurityGroup

    • ec2:RevokeSecurityGroupIngress

    • ec2:DeleteSecurityGroup

    • ec2:DescribeSecurityGroupRules

  • Resource Tagging and Metadata

    • ec2:CreateTags

  • Others

    • ec2:DescribeKeyPairs

    • ec2:DescribeImages

    • ec2:DescribeImageAttribute

    • ec2:DescribeAvailabilityZones

    • ec2:DescribeAccountAttributes

    • ec2:DescribeRouteTables

    • ec2:DescribeNetworkAcls

    • ec2:DescribeAddresses

    • ec2:DescribeDhcpOptions

    • ec2:DescribeSnapshots

2. Amazon S3 (Simple Storage Service)

  • Object Operations

    • s3:GetObject

    • s3:PutObject

3. Amazon CloudFormation

  • Stack Operations

    • cloudformation:CreateStack

    • cloudformation:UpdateStack

    • cloudformation:CreateUploadBucket

    • cloudformation:DescribeStackEvents

    • cloudformation:DescribeStacks

    • cloudformation:GetTemplateSummary

    • cloudformation:ListStacks

    • cloudformation:ListStackResources

    • cloudformation:DeleteStack

4. AWS IAM (Identity and Access Management)

  • Role Management

    • iam:CreateRole

    • iam:DeleteRole

    • iam:ListRoles

    • iam:TagRole

    • iam:PutRolePolicy

    • iam:DeleteRolePolicy

    • iam:GetRole

    • iam:ListAttachedRolePolicies

    • iam:AttachRolePolicy

  • Instance Profile Operations

    • iam:CreateInstanceProfile

    • iam:AddRoleToInstanceProfile

    • iam:RemoveRoleFromInstanceProfile

    • iam:DeleteInstanceProfile

  • Policy Management

    • iam:ListPolicies

    • iam:PassRole

  • Other

    • iam:ListOpenIDConnectProviders

    • iam:GetOpenIDConnectProvider

    • iam:ListEntitiesForPolicy

    • iam:CreateServiceLinkedRole

    • iam:ListInstanceProfiles

    • iam:ListInstanceProfilesForRole

5. Amazon EKS (Elastic Kubernetes Service)

  • Cluster Operations

    • eks:DescribeCluster

    • eks:ListClusters

    • eks:UpdateClusterConfig

    • eks:UpdateClusterVersion

  • Nodegroup Operations

    • eks:CreateNodegroup

    • eks:DescribeNodegroup

    • eks:ListNodegroups

    • eks:UpdateNodegroupConfig

    • eks:UpdateNodegroupVersion

  • Addon Operations

    • eks:DescribeAddon

    • eks:DescribeAddonVersions

    • eks:ListAddons

    • eks:UpdateAddon

  • API Access and Policy Management

    • eks:AccessKubernetesApi

    • eks:ListAccessPolicies

    • eks:AssociateAccessPolicy

    • eks:ListIdentityProviderConfigs

    • eks:DescribeAccessEntry

    • eks:ListPodIdentityAssociations

    • eks:ListAssociatedAccessPolicies

    • eks:CreateAccessEntry

6. AWS SSM (System Manager)

  • Association Operations

    • ssm:ListAssociations

    • ssm:GetParametersByPath

  • Management Server IAM Role

Expand
titleLeast privilege IAM policies required by management server
Info

This will be created by the CloudFormation Template now.

Type: Customer managed

Code Block
languagejson
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:RunInstances",
                "ec2:StopInstances",
                "ec2:DescribeSpotPriceHistory",
                "ec2:DescribeInstances",
                "ec2:DescribeInstanceTypes",
                "ec2:DescribeTags",
                "ec2:CreateTags",
                "ec2:CreateFleet",
                "ec2:CreateLaunchTemplate",
                "ec2:DeleteLaunchTemplate",
                "ec2:TerminateInstances",
                "ec2:AssignPrivateIpAddresses",
                "ec2:UnassignPrivateIpAddresses",
                "ec2:AttachNetworkInterface",
                "ec2:DetachNetworkInterface",
                "ec2:CreateNetworkInterface",
                "ec2:DeleteNetworkInterface",
                "ec2:ModifyNetworkInterfaceAttribute",
                "ec2:DescribeRegions"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:CreateServiceLinkedRole",
                "iam:ListRoles",
                "iam:ListInstanceProfiles",
                "iam:PassRole",
                "iam:GetRole"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeSubnets",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeImages",
                "ec2:DescribeKeyPairs",
                "ec2:DescribeInstanceTypeOfferings",
                "iam:GetInstanceProfile",
                "iam:SimulatePrincipalPolicy",
                "sns:Publish",
                "ssm:GetParameters",
                "ssm:GetParametersByPath"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:CreateVolume",
                "ec2:DescribeVolumes",
                "ec2:AttachVolume",
                "ec2:ModifyInstanceAttribute",
                "ec2:DetachVolume",
                "ec2:DeleteVolume"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:CreateInstanceExportTask",
                "ec2:DescribeExportTasks",
                "ec2:RebootInstances",
                "ec2:CreateSnapshot",
                "ec2:DescribeSnapshots"
            ],
            "Resource": "*"
        }
    ]
}
  • Controller IAM Role

Expand
titleLeast privilege IAM policy required by controller

Type: Customer managed

Code Block
languagejson
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:RunInstances",
                "ec2:StopInstances",
                "ec2:DescribeSpotPriceHistory",
                "ec2:DescribeInstances",
                "ec2:DescribeInstanceTypes",
                "ec2:DescribeTags",
                "ec2:CreateTags",
                "ec2:CreateFleet",
                "ec2:CreateLaunchTemplate",
                "ec2:DeleteLaunchTemplate",
                "ec2:TerminateInstances",
                "ec2:AssignPrivateIpAddresses",
                "ec2:UnassignPrivateIpAddresses",
                "ec2:AttachNetworkInterface",
                "ec2:DetachNetworkInterface",
                "ec2:CreateNetworkInterface",
                "ec2:DeleteNetworkInterface",
                "ec2:ModifyNetworkInterfaceAttribute",
                "ec2:DescribeRegions"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:CreateServiceLinkedRole",
                "iam:ListRoles",
                "iam:ListInstanceProfiles",
                "iam:PassRole",
                "iam:GetRole"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeSubnets",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeImages",
                "ec2:DescribeKeyPairs",
                "ec2:DescribeInstanceTypeOfferings",
                "iam:GetInstanceProfile",
                "iam:SimulatePrincipalPolicy",
                "sns:Publish",
                "ssm:GetParameters",
                "ssm:GetParametersByPath"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:CreateVolume",
                "ec2:DescribeVolumes",
                "ec2:AttachVolume",
                "ec2:ModifyInstanceAttribute",
                "ec2:DetachVolume",
                "ec2:DeleteVolume"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:CreateInstanceExportTask",
                "ec2:DescribeExportTasks",
                "ec2:RebootInstances",
                "ec2:CreateSnapshot",
                "ec2:DescribeSnapshots",
                "eks:DescribeCluster"
            ],
            "Resource": "*"
        }
    ]
}
  • Worker IAM Role

...

titleLeast privilege IAM policies required by workers
Info

This is required for EKS users only.

Type: AWS Managed

...

Policy

...

Explanation

...

AmazonEC2ContainerRegistryReadOnly

...

This allows read-only access to Amazon EC2 Container Registry repositories

...

AmazonEKS_CNI_Policy

...

This provides the Amazon VPC CNI Add-on permissions it requires to modify the IP address configuration on your EKS worker nodes

...

AmazonEKSWorkerNodePolicy

...

This allows Amazon EKS worker nodes to connect to Amazon EKS Clusters

...

AmazonSSMManagedInstanceCore

...

This is to enable AWS Systems Manager service core functionality

...

AmazonEBSCSIDriverPolicy

...

This allows the CSI driver service account to make calls to related services such as EC2

Type: Customer Inline

...

Policy

...

Explanation

...

ModifyEC2InstanceMedataReponseHopLimit

...

This allows worker nodes to modify the instance metadata parameters on a running or stopped EC2 instance

...

UnassignPrivateIpAddresses

...

This denies unassigning one or more secondary private IP addresses, or IPv4 Prefix Delegation prefixes from a network interface

...

languagejson

...

EC2 Instance Profiles

The Infrastructure Optimizer Controllers and Workers require a set of IAM permissions to manage and scale your workloads efficiently. Use this CloudFormation template to create the EC2 instance profiles.

View file
namexio-cloudformation-data-plane-iam.yaml

Info

When completed, the roles and instance profile ARNs outputs by CloudFormation will be needed for subsequent installation steps.