Document toolboxDocument toolbox

(v2.2.0.0) Getting Ready: Prerequisites

Owned by Yajing Wang
Last updated: May 18, 2024Version comment
16 min read

Welcome to your first step towards cloud efficiency and savings with Infrastructure Optimizer. By following our setup checklist, you'll enable Infrastructure Optimizer to operate smoothly in your environment.

Environment Prerequisites Overview

Component

Section Link

Component

Section Link

VPC

Network

Certificate

Security

IAM Roles

Permissions

EKS Cluster

Cluster Requirements

Network

Component

Requirements

VPC

  • Please specify an IPv4 CIDR block range other than 192.168.137.0/24

  • It contains at least one private subnet

NAT Gateway

  • The connectivity type is public

Security

Component

Details

SSH Key

  • This will be used to attach to the Management Server

Trusted Certificate

  • To make the installation accessible to your organization

Compute

Component

Requirements

Operating System

  • Linux variants

Permissions

We understand that cloud control and security are essential to you. In order to install Infrastructure Optimizer and start saving right away, we need your help to set up the right permissions for Infrastructure Optimizer to operate. For seamless operation and integration with AWS services, the following IAM roles with specific permissions are required:

  • User IAM Role

This is for users who install and use the product.

Least privilege IAM policies

Explanation

Least privilege IAM policies

Explanation

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:RunInstances", "ec2:DescribeInstances", "ec2:DescribeInstanceTypes", "ec2:DescribeInstanceStatus", "ec2:StopInstances", "ec2:TerminateInstances", "ec2:ModifyInstanceAttribute", "ec2:DescribeSubnets", "ec2:DescribeVpcs", "ec2:DescribeVpcAttribute", "ec2:DescribeSecurityGroups", "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:RevokeSecurityGroupIngress", "ec2:DeleteSecurityGroup", "ec2:DescribeSecurityGroupRules", "ec2:CreateTags", "ec2:DescribeKeyPairs", "ec2:DescribeImages", "ec2:DescribeImageAttribute", "ec2:DescribeAvailabilityZones", "ec2:DescribeAccountAttributes", "ec2:DescribeRouteTables", "ec2:DescribeNetworkAcls", "ec2:DescribeAddresses", "ec2:DescribeDhcpOptions", "ec2:DescribeSnapshots" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject" ], "Resource": "arn:aws:s3:::cf-template*" }, { "Effect": "Allow", "Action": [ "cloudformation:CreateStack", "cloudformation:UpdateStack", "cloudformation:CreateUploadBucket", "cloudformation:DescribeStackEvents", "cloudformation:DescribeStacks", "cloudformation:GetTemplateSummary", "cloudformation:ListStacks", "cloudformation:ListStackResources", "cloudformation:DeleteStack" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:CreateRole", "iam:DeleteRole", "iam:ListRoles", "iam:TagRole", "iam:PutRolePolicy", "iam:DeleteRolePolicy", "iam:GetRole", "iam:ListAttachedRolePolicies", "iam:CreateInstanceProfile", "iam:AddRoleToInstanceProfile", "iam:RemoveRoleFromInstanceProfile", "iam:DeleteInstanceProfile", "iam:ListPolicies", "iam:PassRole", "iam:ListOpenIDConnectProviders", "iam:GetOpenIDConnectProvider", "iam:ListEntitiesForPolicy", "iam:CreateServiceLinkedRole", "iam:ListInstanceProfiles", "iam:ListInstanceProfilesForRole", "iam:AttachRolePolicy" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "eks:DescribeCluster", "eks:ListClusters", "eks:UpdateClusterConfig", "eks:UpdateClusterVersion", "eks:CreateNodegroup", "eks:DescribeNodegroup", "eks:ListNodegroups", "eks:UpdateNodegroupConfig", "eks:UpdateNodegroupVersion", "eks:DescribeAddon", "eks:DescribeAddonVersions", "eks:ListAddons", "eks:UpdateAddon", "eks:AccessKubernetesApi", "eks:ListAccessPolicies", "eks:AssociateAccessPolicy", "eks:ListIdentityProviderConfigs", "eks:DescribeAccessEntry", "eks:ListPodIdentityAssociations", "eks:ListAssociatedAccessPolicies", "eks:CreateAccessEntry" ], "_comment": "Change the below Resource to specific cluster - arn:aws:eks:region:account-id:cluster/cluster-name", "Resource": "*" }, { "Effect": "Allow", "Action": [ "ssm:ListAssociations", "ssm:GetParametersByPath" ], "Resource": "*" } ] }

  • Management Server IAM Role

  • Controller IAM Role

  • Worker IAM Role

Â