Docs Menu

Docs HomeMongoDB Cloud Manager

AWS IAM Policy

On this page

  • Overview
  • Example Policy
  • Policy Settings

When Cloud Manager deploys and manages MongoDB instances on AWS infrastructure, Cloud Manager accesses AWS by way of a user's access keys. The user associated with the keys must have an attached IAM policy with the following permissions. For information on attaching the policy, see Provision Servers.

For an overview of AWS IAM policies, see Amazon's IAM policy documentation.

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["iam:*AccessKey*", "iam:GetUser"],
"Resource": ["*"]
},
{
"Effect": "Allow",
"Action": [
"ec2:AttachVolume",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateKeyPair",
"ec2:CreateSecurityGroup",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:DeleteKeyPair",
"ec2:DeleteSecurityGroup",
"ec2:DeleteTags",
"ec2:DeleteVolume",
"ec2:DescribeAccountAttributes",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeInstanceStatus",
"ec2:DescribeInstances",
"ec2:DescribeKeyPairs",
"ec2:DescribeRegions",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeTags",
"ec2:DescribeVpcs",
"ec2:DescribeVpcAttribute",
"ec2:DescribeVolumeStatus",
"ec2:DescribeVolumes",
"ec2:DescribeVolumeAttribute",
"ec2:ImportKeyPair",
"ec2:RunInstances",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:RebootInstances",
"ec2:TerminateInstances"
],
"Resource": [
"*"
]
}
]
}

The following table explains why each setting is required. Cloud Manager uses permissions provided by the customer only for CRUD actions on the resources Cloud Manager creates for the customer. Additionally, Cloud Manager performs only Read actions for resources the customer selects (VPC, subnet, etc) and for connected resources (network ACL, route table, etc).

Setting
Allows Cloud Manager to:
ec2:AttachVolume
Add an EBS volume to a provisioned server.
ec2:AuthorizeSecurityGroupIngress
Manage the security group rules Cloud Manager needs to ensure a valid networking state.
ec2:CreateKeyPair
SSH into a machine in order to provision it.
ec2:CreateSecurityGroup
Auto-generate security groups in the provisioning wizard.
ec2:CreateTags
Tag the EC2 instances.
ec2:CreateVolume
Create the EBS volumes.
ec2:DeleteKeyPair
Remove the key pair Cloud Manager created.
ec2:DeleteSecurityGroup
Remove the security group Cloud Manager created.
ec2:DeleteTags
Remove tags Cloud Manager created.
ec2:DeleteVolume
Removes resources Cloud Manager created.
ec2:DescribeAccountAttributes
Determine if the AWS account has access to EC2-Classic.
ec2:DescribeAvailabilityZones
Display the availability zones users can select when they provision new servers.
ec2:DescribeInstanceAttribute
Access attributes of an EC2 instance.
ec2:DescribeInstanceStatus
Access the status of an EC2 instance.
ec2:DescribeInstances
Access available EC2 instances.
ec2:DescribeKeyPairs
Validate the key pair Cloud Manager created.
ec2:DescribeRegions
Display the regions users can select when they provision new servers.
ec2:DescribeSecurityGroups
Display the security groups users can select when they provision new servers.
ec2:DescribeSubnets
Display the subnets users can select when they provision new servers.
ec2:DescribeTags
List tags for instances associated with Cloud Manager.
ec2:DescribeVpcs
Display the VPCs users can select when they provision new servers.
ec2:DescribeVpcAttribute
Access VPC attributes.
ec2:DescribeVolumeStatus
Validate the readiness of an attached or detached volume.
ec2:DescribeVolumes
Ensure your MongoDB server has the correct volumes attached.
ec2:DescribeVolumeAttribute
Access information on EBS volumes.
ec2:ImportKeyPair
Associate a key pair with an EC2 instance.
ec2:RunInstances
Run the EC2 instance.
ec2:StartInstances
Start the EC2 instance.
ec2:StopInstances
Stop the EC2 instance.
ec2:RebootInstances
Reboot the EC2 instance.
ec2:TerminateInstances
Terminate the EC2 instance.
←  MongoDB Settings and Automation SupportDatabase Commands Used by Monitoring →