Categories

ID #1302

How do I set Amazon AWS cloudbursting policies for Bright?

Setting Amazon AWS Cloudbursting policies



Policies in AWS are implemented from the AWS console for the region. For EU-West-1 the URL to manage policies is currently:

 
https://console.aws.amazon.com/iam/home?region=eu-west-1#policies

 
An option to "create a new policy" can be selected there.


The following restrictive policy allows a more fine-grained access to AWS resources for the cloudbursting feature of Bright Cluster Manager:

 

{
   "Version": "2012-10-17",
   "Statement": [
       {
           "Effect": "Allow",
           "Action": [
               "iam:Get*",
               "iam:List*",
               "iam:PassRole"
           ],
           "Resource": "*"
       },
       {
           "Sid": "EC2LessDangerousPermissions",
           "Effect": "Allow",
           "Action": [
               "ec2:CancelSpotInstanceRequests",
               "ec2:DescribeAccountAttributes",
               "ec2:DescribeAddresses",
               "ec2:DescribeAvailabilityZones",
               "ec2:DescribeImages",
               "ec2:DescribeInstanceStatus",
               "ec2:DescribeInstances",
               "ec2:DescribeKeyPairs",
               "ec2:DescribePlacementGroups",
               "ec2:DescribeSecurityGroups",
               "ec2:DescribeSnapshots",
               "ec2:DescribeSpotInstanceRequests",
               "ec2:DescribeSpotPriceHistory",
               "ec2:DescribeTags",
               "ec2:DescribeVolumeStatus",
               "ec2:DescribeVolumes",
               "ec2:CreateSnapshot",
               "ec2:CreateTags",
               "ec2:DescribeClassicLinkInstances",
               "ec2:DescribeInstanceAttribute",
               "ec2:RegisterImage",
               "ec2:DescribeRegions",
               "ec2:DescribeVpcs",
               "ec2:RequestSpotInstances",
               "ec2:CreatePlacementGroup",
               "ec2:DescribeInternetGateways",
               "ec2:DescribeRouteTables",
               "ec2:DescribeSubnets",
               "ec2:ModifyInstanceAttribute"
           ],
           "Resource": [
               "*"
           ]
       },
       {
           "Sid": "EC2MoreDangerousPermissions",
           "Effect": "Allow",
           "Action": [
               "ec2:GetConsoleOutput",
               "ec2:AllocateAddress",
               "ec2:AssociateAddress",
               "ec2:DisassociateAddress",
               "ec2:ReleaseAddress"
           ],
           "Resource": [
               "*"
           ]
       },
       {
           "Sid": "AllowInstanceActions",
           "Effect": "Allow",
           "Action": [
               "ec2:StartInstances",
               "ec2:RebootInstances",
               "ec2:StopInstances",
               "ec2:TerminateInstances"
           ],
           "Resource": [
               "*"
           ]
       },
       {
           "Sid": "EC2RunInstances",
           "Effect": "Allow",
           "Action": [
               "ec2:RunInstances"
           ],
           "Resource": [
               "arn:aws:ec2:*:*:instance/*"
           ]
       },
       {
           "Sid": "RemainingRunInstancePermissions",
           "Effect": "Allow",
           "Action": [
               "ec2:RunInstances"
           ],
           "Resource": [
               "arn:aws:ec2:*:*:volume/*",
               "arn:aws:ec2:*::image/ami-*",
               "arn:aws:ec2:*:*:subnet/*",
               "arn:aws:ec2:*:*:network-interface/*",
               "arn:aws:ec2:*:*:key-pair/*",
               "arn:aws:ec2:*:*:security-group/*"
           ]
       },
       {
           "Sid": "S3Permissions1",
           "Effect": "Allow",
           "Action": [
               "s3:GetBucketLocation",
               "s3:ListAllMyBuckets"
           ],
           "Resource": "arn:aws:s3:::*"
       },
       {
           "Sid": "S3Permissions2",
           "Effect": "Allow",
           "Action": [
               "s3:CreateBucket",
               "s3:DeleteBucket",
               "s3:GetObject",
               "s3:ListBucket",
               "s3:PutObject"
           ],
           "Resource": [
               "arn:aws:s3:::*"
           ]
       },
       {
           "Sid": "EBS",
           "Effect": "Allow",
           "Action": [
               "ec2:AttachVolume",
               "ec2:CreateVolume",
               "ec2:DeleteVolume",
               "ec2:DetachVolume"
           ],
           "Resource": [
               "*"
           ]
       }
   ]
}

Tags: amazon, aws, cloud bursting

Related entries:

You cannot comment on this entry