Infrastructure Management (IAM Role -- Assume Role Identity)
Role Name:
Bebop-Admin-Role
Tasks performed:
KMS management for Encrypted Disks
Access MarketPlace for CentOS 7 AMI
Setup SNS and Cloudwatch to send notifications to MCP
Create support tickets for quota increase.
Policy:
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "support:*", "ec2:*", "sns:*", "kms:*", "logs:*", "cloudwatch:*" "events:*", "route53:*", "aws-marketplace:*", "iam:PassRole", "aws-portal:ViewAccount", "aws-portal:ViewBilling", "aws-portal:ViewUsage" ], "Resource": "*" }] } |
|
Application Service User
User:
bebopserviceuser
Tasks performed:
Launch, start, stop and terminate EC2 instances by BeBop application.
Rotate own IAM keys.
Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:*AccessKey*",
"iam:ChangePassword",
"iam:GetUser",
"iam:*ServiceSpecificCredential*",
"iam:*SigningCertificate*"
],
"Resource": ["arn:aws:iam::*:user/${aws:username}"]
}
]
}
Initial Setup User
Username:
onboardsrvuser
Tasks performed:
Initial infra setup
Note: onboardsrvuser user can be removed once BeBop on-boarding is done.
Policy:
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "ec2:*", "sns:*", "kms:*", "logs:*", "cloudwatch:*", "events:*", "aws-marketplace:*", "iam:PassRole" ], "Resource": "*" }] } |
|