Setting Amazon AWS Cloudbursting policies
Policies in AWS are implemented from the AWS console for the region. For EU-West-1 the URL to manage policies is currently:
https://console.aws.amazon.com/iam/home?region=eu-west-1#policies
An option to “create a new policy” can be selected there.
The following restrictive policy allows a more fine-grained access to AWS resources for the cloudbursting feature of Bright Cluster Manager:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:Get*",
"iam:List*",
"iam:PassRole"
],
"Resource": "*"
},
{
"Sid": "EC2LessDangerousPermissions",
"Effect": "Allow",
"Action": [
"ec2:CancelSpotInstanceRequests",
"ec2:DescribeAccountAttributes",
"ec2:DescribeAddresses",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeImages",
"ec2:DescribeInstanceStatus",
"ec2:DescribeInstances",
"ec2:DescribeKeyPairs",
"ec2:DescribePlacementGroups",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSnapshots",
"ec2:DescribeSpotInstanceRequests",
"ec2:DescribeSpotPriceHistory",
"ec2:DescribeTags",
"ec2:DescribeVolumeStatus",
"ec2:DescribeVolumes",
"ec2:CreateSnapshot",
"ec2:CreateTags",
"ec2:DescribeClassicLinkInstances",
"ec2:DescribeInstanceAttribute",
"ec2:RegisterImage",
"ec2:DescribeRegions",
"ec2:DescribeVpcs",
"ec2:RequestSpotInstances",
"ec2:CreatePlacementGroup",
"ec2:DescribeInternetGateways",
"ec2:DescribeRouteTables",
"ec2:DescribeSubnets",
"ec2:ModifyInstanceAttribute"
],
"Resource": [
"*"
]
},
{
"Sid": "EC2MoreDangerousPermissions",
"Effect": "Allow",
"Action": [
"ec2:GetConsoleOutput",
"ec2:AllocateAddress",
"ec2:AssociateAddress",
"ec2:DisassociateAddress",
"ec2:ReleaseAddress"
],
"Resource": [
"*"
]
},
{
"Sid": "AllowInstanceActions",
"Effect": "Allow",
"Action": [
"ec2:StartInstances",
"ec2:RebootInstances",
"ec2:StopInstances",
"ec2:TerminateInstances"
],
"Resource": [
"*"
]
},
{
"Sid": "EC2RunInstances",
"Effect": "Allow",
"Action": [
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*"
]
},
{
"Sid": "RemainingRunInstancePermissions",
"Effect": "Allow",
"Action": [
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*::image/ami-*",
"arn:aws:ec2:*:*:subnet/*",
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:key-pair/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:placement-group/*"
]
},
{
"Sid": "S3Permissions1",
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListAllMyBuckets"
],
"Resource": "arn:aws:s3:::*"
},
{
"Sid": "S3Permissions2",
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:GetObject",
"s3:ListBucket",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::*"
]
},
{
"Sid": "EBS",
"Effect": "Allow",
"Action": [
"ec2:AttachVolume",
"ec2:CreateVolume",
"ec2:DeleteVolume",
"ec2:DetachVolume"
],
"Resource": [
"*"
]
}
]
}