Navigation

AWS IAM Policy

Overview

When Cloud Manager deploys and manages MongoDB instances on AWS infrastructure, Cloud Manager accesses AWS by way of a user’s access keys. The user associated with the keys must have an attached IAM policy with the following permissions. For information on attaching the policy, see Provision Servers.

For an overview of AWS IAM policies, see Amazon’s IAM policy documentation.

Example Policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["iam:*AccessKey*", "iam:GetUser"],
      "Resource": ["*"]
    },
    {
      "Effect": "Allow",
      "Action": [
        "ec2:AttachVolume",
        "ec2:AuthorizeSecurityGroupIngress",
        "ec2:CreateKeyPair",
        "ec2:CreateSecurityGroup",
        "ec2:CreateTags",
        "ec2:CreateVolume",
        "ec2:DeleteKeyPair",
        "ec2:DeleteSecurityGroup",
        "ec2:DeleteTags",
        "ec2:DeleteVolume",
        "ec2:DescribeAccountAttributes",
        "ec2:DescribeAvailabilityZones",
        "ec2:DescribeInstanceAttribute",
        "ec2:DescribeInstanceStatus",
        "ec2:DescribeInstances",
        "ec2:DescribeKeyPairs",
        "ec2:DescribeRegions",
        "ec2:DescribeSecurityGroups",
        "ec2:DescribeSubnets",
        "ec2:DescribeTags",
        "ec2:DescribeVpcs",
        "ec2:DescribeVpcAttribute",
        "ec2:DescribeVolumeStatus",
        "ec2:DescribeVolumes",
        "ec2:DescribeVolumeAttribute",
        "ec2:ImportKeyPair",
        "ec2:RunInstances",
        "ec2:StartInstances",
        "ec2:StopInstances",
        "ec2:RebootInstances",
        "ec2:TerminateInstances"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}

Policy Settings

The following table explains why each setting is required. Cloud Manager uses permissions provided by the customer only for CRUD actions on the resources Cloud Manager creates for the customer. Additionally, Cloud Manager performs only Read actions for resources the customer selects (VPC, subnet, etc) and for connected resources (network ACL, route table, etc).

Setting Allows Cloud Manager to:
ec2:AttachVolume Add an EBS volume to a provisioned server.
ec2:AuthorizeSecurityGroupIngress Manage the security group rules Cloud Manager needs to ensure a valid networking state.
ec2:CreateKeyPair SSH into a machine in order to provision it.
ec2:CreateSecurityGroup Auto-generate security groups in the provisioning wizard.
ec2:CreateTags Tag the EC2 instances.
ec2:CreateVolume Create the EBS volumes.
ec2:DeleteKeyPair Remove the key pair Cloud Manager created.
ec2:DeleteSecurityGroup Remove the security group Cloud Manager created.
ec2:DeleteTags Remove tags Cloud Manager created.
ec2:DeleteVolume Removes resources Cloud Manager created.
ec2:DescribeAccountAttributes Determine if the AWS account has access to EC2-Classic.
ec2:DescribeAvailabilityZones Display the availability zones users can select when they provision new servers.
ec2:DescribeInstanceAttribute Access attributes of an EC2 instance.
ec2:DescribeInstanceStatus Access the status of an EC2 instance.
ec2:DescribeInstances Access available EC2 instances.
ec2:DescribeKeyPairs Validate the key pair Cloud Manager created.
ec2:DescribeRegions Display the regions users can select when they provision new servers.
ec2:DescribeSecurityGroups Display the security groups users can select when they provision new servers.
ec2:DescribeSubnets Display the subnets users can select when they provision new servers.
ec2:DescribeTags List tags for instances associated with Cloud Manager.
ec2:DescribeVpcs Display the VPCs users can select when they provision new servers.
ec2:DescribeVpcAttribute Access VPC attributes.
ec2:DescribeVolumeStatus Validate the readiness of an attached or detached volume.
ec2:DescribeVolumes Ensure your MongoDB server has the correct volumes attached.
ec2:DescribeVolumeAttribute Access information on EBS volumes.
ec2:ImportKeyPair Associate a key pair with an EC2 instance.
ec2:RunInstances Run the EC2 instance.
ec2:StartInstances Start the EC2 instance.
ec2:StopInstances Stop the EC2 instance.
ec2:RebootInstances Reboot the EC2 instance.
ec2:TerminateInstances Terminate the EC2 instance.