Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 83 Next »

Welcome to your first step towards cloud efficiency and savings with Infrastructure Optimizer. By following our setup checklist, you'll enable Infrastructure Optimizer to operate smoothly in your environment.

Environment Prerequisites Overview

Component

Section Link

VPC

Network

Certificate

Security

IAM Roles

Permissions

EKS Cluster

Cluster Requirements

Network

 Network Checklist

Component

Requirements

VPC

  • It contains at least one private subnet

NAT Gateway

  • The connectivity type is public

Security

 Security Checklist

Component

Details

SSH Key

  • This will be used to attach to the Management Server

Trusted Certificate

  • To make the installation accessible to your organization

Compute

 Compute Platform Checklist

Component

Requirements

Operating System

  • Linux variants

Permissions

We understand that cloud control and security are essential to you. In order to install Infrastructure Optimizer and start saving right away, we need your help to set up the right permissions for Infrastructure Optimizer to operate. For seamless installation and integration with AWS services, the following IAM role is required for the user who performs the operations:

  • User IAM Role

 Least privilege IAM policies of users

Least privilege IAM policies

Explanation

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:RunInstances",
                "ec2:DescribeInstances",
                "ec2:DescribeInstanceTypes",
                "ec2:DescribeInstanceStatus",
                "ec2:StopInstances",
                "ec2:TerminateInstances",
                "ec2:ModifyInstanceAttribute",
                "ec2:DescribeSubnets",
                "ec2:DescribeVpcs",
                "ec2:DescribeVpcAttribute",
                "ec2:DescribeSecurityGroups",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:CreateSecurityGroup",
                "ec2:RevokeSecurityGroupIngress",
                "ec2:DeleteSecurityGroup",
                "ec2:DescribeSecurityGroupRules",
                "ec2:CreateTags",
                "ec2:DescribeKeyPairs",
                "ec2:DescribeImages",
                "ec2:DescribeImageAttribute",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeAccountAttributes",
                "ec2:DescribeRouteTables",
                "ec2:DescribeNetworkAcls",
                "ec2:DescribeAddresses",
                "ec2:DescribeDhcpOptions",
                "ec2:DescribeSnapshots"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::cf-template*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "cloudformation:CreateStack",
                "cloudformation:UpdateStack",
                "cloudformation:CreateUploadBucket",
                "cloudformation:DescribeStackEvents",
                "cloudformation:DescribeStacks",
                "cloudformation:GetTemplateSummary",
                "cloudformation:ListStacks",
                "cloudformation:ListStackResources",
                "cloudformation:DeleteStack"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:CreateRole",
                "iam:DeleteRole",
                "iam:ListRoles",
                "iam:TagRole",
                "iam:PutRolePolicy",
                "iam:DeleteRolePolicy",
                "iam:GetRole",
                "iam:ListAttachedRolePolicies",
                "iam:CreateInstanceProfile",
                "iam:AddRoleToInstanceProfile",
                "iam:RemoveRoleFromInstanceProfile",
                "iam:DeleteInstanceProfile",
                "iam:ListPolicies",
                "iam:PassRole",
                "iam:ListOpenIDConnectProviders",
                "iam:GetOpenIDConnectProvider",
                "iam:ListEntitiesForPolicy",
                "iam:CreateServiceLinkedRole",
                "iam:ListInstanceProfiles",
                "iam:ListInstanceProfilesForRole",
                "iam:AttachRolePolicy" 
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "eks:DescribeCluster",
                "eks:ListClusters",
                "eks:UpdateClusterConfig",
                "eks:UpdateClusterVersion",
                "eks:CreateNodegroup",
                "eks:DescribeNodegroup",
                "eks:ListNodegroups",
                "eks:UpdateNodegroupConfig",
                "eks:UpdateNodegroupVersion",
                "eks:DescribeAddon",
                "eks:DescribeAddonVersions",
                "eks:ListAddons",
                "eks:UpdateAddon",
                "eks:AccessKubernetesApi",
                "eks:ListAccessPolicies",
                "eks:AssociateAccessPolicy",
                "eks:ListIdentityProviderConfigs",
                "eks:DescribeAccessEntry",
                "eks:ListPodIdentityAssociations",
                "eks:ListAssociatedAccessPolicies",
                "eks:CreateAccessEntry"  
            ],
            "_comment": "Change the below Resource to specific cluster - arn:aws:eks:region:account-id:cluster/cluster-name",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ssm:ListAssociations",
                "ssm:GetParametersByPath"
            ],
            "Resource": "*"
        }
    ]
}

1. Amazon EC2 (Elastic Compute Cloud)

  • Instance Management

    • ec2:RunInstances

    • ec2:DescribeInstances

    • ec2:DescribeInstanceTypes

    • ec2:DescribeInstanceStatus

    • ec2:StopInstances

    • ec2:TerminateInstances

    • ec2:ModifyInstanceAttribute

  • Network and Security

    • ec2:DescribeSubnets

    • ec2:DescribeVpcs

    • ec2:DescribeVpcAttribute

    • ec2:DescribeSecurityGroups

    • ec2:AuthorizeSecurityGroupIngress

    • ec2:CreateSecurityGroup

    • ec2:RevokeSecurityGroupIngress

    • ec2:DeleteSecurityGroup

    • ec2:DescribeSecurityGroupRules

  • Resource Tagging and Metadata

    • ec2:CreateTags

  • Others

    • ec2:DescribeKeyPairs

    • ec2:DescribeImages

    • ec2:DescribeImageAttribute

    • ec2:DescribeAvailabilityZones

    • ec2:DescribeAccountAttributes

    • ec2:DescribeRouteTables

    • ec2:DescribeNetworkAcls

    • ec2:DescribeAddresses

    • ec2:DescribeDhcpOptions

    • ec2:DescribeSnapshots

2. Amazon S3 (Simple Storage Service)

  • Object Operations

    • s3:GetObject

    • s3:PutObject

3. Amazon CloudFormation

  • Stack Operations

    • cloudformation:CreateStack

    • cloudformation:UpdateStack

    • cloudformation:CreateUploadBucket

    • cloudformation:DescribeStackEvents

    • cloudformation:DescribeStacks

    • cloudformation:GetTemplateSummary

    • cloudformation:ListStacks

    • cloudformation:ListStackResources

    • cloudformation:DeleteStack

4. AWS IAM (Identity and Access Management)

  • Role Management

    • iam:CreateRole

    • iam:DeleteRole

    • iam:ListRoles

    • iam:TagRole

    • iam:PutRolePolicy

    • iam:DeleteRolePolicy

    • iam:GetRole

    • iam:ListAttachedRolePolicies

    • iam:AttachRolePolicy

  • Instance Profile Operations

    • iam:CreateInstanceProfile

    • iam:AddRoleToInstanceProfile

    • iam:RemoveRoleFromInstanceProfile

    • iam:DeleteInstanceProfile

  • Policy Management

    • iam:ListPolicies

    • iam:PassRole

  • Other

    • iam:ListOpenIDConnectProviders

    • iam:GetOpenIDConnectProvider

    • iam:ListEntitiesForPolicy

    • iam:CreateServiceLinkedRole

    • iam:ListInstanceProfiles

    • iam:ListInstanceProfilesForRole

5. Amazon EKS (Elastic Kubernetes Service)

  • Cluster Operations

    • eks:DescribeCluster

    • eks:ListClusters

    • eks:UpdateClusterConfig

    • eks:UpdateClusterVersion

  • Nodegroup Operations

    • eks:CreateNodegroup

    • eks:DescribeNodegroup

    • eks:ListNodegroups

    • eks:UpdateNodegroupConfig

    • eks:UpdateNodegroupVersion

  • Addon Operations

    • eks:DescribeAddon

    • eks:DescribeAddonVersions

    • eks:ListAddons

    • eks:UpdateAddon

  • API Access and Policy Management

    • eks:AccessKubernetesApi

    • eks:ListAccessPolicies

    • eks:AssociateAccessPolicy

    • eks:ListIdentityProviderConfigs

    • eks:DescribeAccessEntry

    • eks:ListPodIdentityAssociations

    • eks:ListAssociatedAccessPolicies

    • eks:CreateAccessEntry

6. AWS SSM (System Manager)

  • Association Operations

    • ssm:ListAssociations

    • ssm:GetParametersByPath

  • No labels