Welcome
Login  Sign up

AWS Private Region Access Roles

Modified on: Tue, 19 Jul, 2022 at 3:42 PM

Support Portal Categories

Overview

BeBop OS is a managed services deployment on AWS. We provision all infra, network, and storage for the BeBop OS deployment. To effectively maintain the deployed application, we need the follow roles and permissions.


Infrastructure Management (IAM Role -- Assume Role Identity)  

Role Name:  

  • Bebop-Admin-Role 

 Tasks performed: 

  • KMS management for Encrypted Disks 

  • Access MarketPlace for CentOS 7 AMI 

  • Setup SNS and Cloudwatch to send notifications to MCP 

  • Create support tickets for quota increase. 

Policy: 

  "Version": "2012-10-17", 

  "Statement": [{ 

    "Effect": "Allow", 

    "Action": [ 

      "support:*", 

      "ec2:*", 

      "sns:*", 

"kms:*", 

      "logs:*", 

 "cloudwatch:*" 

      "events:*", 

      "route53:*", 

      "aws-marketplace:*", 

      "iam:PassRole", 

      "aws-portal:ViewAccount", 

      "aws-portal:ViewBilling", 

      "aws-portal:ViewUsage" 

    ], 

    "Resource": "*" 

  }] 

}

Application Service Role 

Role:  BebopServiceRole 


Tasks performed: 

  • Launch, start, stop and terminate EC2 instances by BeBop application. 

  • Rotate IAM keys for Flex Service User (Only if Flex is needed) 


Policy: 

  "Version": "2012-10-17", 

  "Statement": [ 

    { 

      "Effect": "Allow", 

      "Action": "ec2:*", 

      "Resource": "*" 

    }, 

    { 

      "Effect": "Allow", 

      "Action": "iam:PassRole", 

      "Resource": "*" 

    }, 

    {
"Effect": "Allow",
"Action": [
"kms:RetireGrant",
"kms:CreateGrant",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:Encrypt",
"kms:DescribeKey",
"kms:Decrypt"
],
"Resource": "*"
    }, 

    { 

      "Effect": "Allow", 

      "Action": [ 

        "iam:*AccessKey*", 

        "iam:ChangePassword", 

        "iam:GetUser", 

        "iam:*ServiceSpecificCredential*", 

        "iam:*SigningCertificate*" 

      ], 

      "Resource": [      

        "arn:aws:iam::*:user/bbpflexsrvcuser" 

      ] 

    } 

  ] 

 

Instance Role for SSM & Monitoring

Roles Needed: BebopInstanceRole

Tasks performed: 

  • Used by AWS service discovery to find running instances 

  • Used for SSM Session Manager Access 


IAM Policy: 

Attach AWS Managed Policy:  AmazonSSMManagedInstanceCore 


Attach below inline policy 

    "Version": "2012-10-17", 

    "Statement": [ 

        { 

            "Effect": "Allow", 

            "Action": "ec2:Describe*", 

            "Resource": "*" 

        } 

    ] 


Trust Relationship: 

  "Version": "2012-10-17", 

  "Statement": [ 

    { 

      "Sid": "", 

      "Effect": "Allow", 

      "Principal": { 

        "Service": "ec2.amazonaws.com" 

      }, 

      "Action": "sts:AssumeRole" 

    } 

  ] 

}

 



Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.