From 22960fb7d01157b87aafb3fe2e06e37adcf80dfe Mon Sep 17 00:00:00 2001 From: pollfly <75068813+pollfly@users.noreply.github.com> Date: Sun, 20 Nov 2022 10:22:27 +0200 Subject: [PATCH] Add AWS Autoscaler app configuration example (#372) --- .../applications/apps_aws_autoscaler.md | 126 +++++++++++++++--- 1 file changed, 104 insertions(+), 22 deletions(-) diff --git a/docs/webapp/applications/apps_aws_autoscaler.md b/docs/webapp/applications/apps_aws_autoscaler.md index 400a2546..7d994881 100644 --- a/docs/webapp/applications/apps_aws_autoscaler.md +++ b/docs/webapp/applications/apps_aws_autoscaler.md @@ -119,30 +119,112 @@ to an IAM user, and create credentials keys for that user to configure in the au 1. Insert the following policy into the text box: - ``` - { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "VisualEditor0", - "Effect": "Allow", - "Action": [ - "ec2:DescribeInstances", - "ec2:TerminateInstances", - "ec2:RequestSpotInstances", - "ec2:DeleteTags", - "ec2:CreateTags", - "ec2:RunInstances", - "ec2:DescribeSpotInstanceRequests", - "ec2:GetConsoleOutput" - ], - "Resource": "*" - } - ] - } - ``` + ``` + { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "VisualEditor0", + "Effect": "Allow", + "Action": [ + "ec2:DescribeInstances", + "ec2:TerminateInstances", + "ec2:RequestSpotInstances", + "ec2:DeleteTags", + "ec2:CreateTags", + "ec2:RunInstances", + "ec2:DescribeSpotInstanceRequests", + "ec2:GetConsoleOutput" + ], + "Resource": "*" + } + ] + } + ``` + This is a basic policy which gives the autoscaler access to your account. See example policy with finer security +configuration [here](#aws-iam-restricted-access-policy). + 1. Complete creating the policy 1. Attach the created policy to an IAM user/group whose credentials will be used in the autoscaler app (you can create a new IAM user/group for this purpose) 1. Obtain a set of AWS IAM credentials for the user/group to which you have attached the created policy in the previous step + + +### AWS IAM Restricted Access Policy + +The template policy below demonstrates how to restrict the autoscaler to launch EC2. + +The policy includes the following permissions: +* Enables performing certain EC2 actions on all resources in specified regions +* Enables performing certain EC2 actions on specified resources (in selected subnet and security group, and any network-interface, volume, key-pair, instance) +* Enables performing an EC2 action to use on a specified AMI on condition that the `ec2:Owner` is a specified owner + +```json +{ + + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "GeneralEC2", + "Effect": "Allow", + "Action": [ + "ec2:AttachClassicLinkVpc", + "ec2:CancelSpotInstanceRequests", + "ec2:CreateFleet", + "ec2:Describe*", + "ec2:GetConsoleOutput", + "ec2:DetachClassicLinkVpc", + "ec2:ModifyInstanceAttribute", + "ec2:RequestSpotInstances" + ], + "Resource": "*", + "Condition": { + "StringEquals": { + "aws:RequestedRegion": "" + } + } + }, + { + "Sid": "RunEC2", + "Effect": "Allow", + "Action": [ + "ec2:RunInstances", + "ec2:CreateTags", + "ec2:DeleteTags", + "ec2:StartInstances", + "ec2:StopInstances", + "ec2:TerminateInstances", + "ec2:DescribeVolumes", + "ec2:DescribeAvailabilityZones", + "ec2:CreateVolume", + "ec2:AttachVolume", + "ec2:DetachVolume" + ], + "Resource": [ + "arn:aws:ec2:::subnet/", + "arn:aws:ec2:::network-interface/*", + "arn:aws:ec2:::volume/*", + "arn:aws:ec2:::key-pair/*", + "arn:aws:ec2:::security-group/", + "arn:aws:ec2:::instance/*" + ] + }, + { + "Sid": "RunEC2AMI", + "Effect": "Allow", + "Action": [ + "ec2:RunInstances" + ], + "Resource": [ + "arn:aws:ec2:::image/" + ], + "Condition": { + "StringEquals": { + "ec2:Owner": "" + } + } + } + ] +} +``` \ No newline at end of file