Use this policy document to complete the procedure in Create an IAM User for Ops Manager in Preparing to Deploy Ops Manager on AWS.
Note: For the S3 Bucket policy sections, make sure to update the generic bucket naming with your custom/unique bucket names.
From the AWS Management Console, copy and paste the following text in the Policy Document field.
You may want to consider adding more policies to enable additional features. For more information, see Add Additional AWS Policies below.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"iam:Add*",
"iam:Attach*",
"iam:ChangePassword",
"iam:Create*",
"iam:DeactivateMFADevice",
"iam:Delete*",
"iam:Detach*",
"iam:EnableMFADevice",
"iam:GenerateCredentialReport",
"iam:GenerateServiceLastAccessedDetails",
"iam:GetAccessKeyLastUsed",
"iam:GetAccountAuthorizationDetails",
"iam:GetAccountPasswordPolicy",
"iam:GetAccountSummary",
"iam:GetContextKeysForCustomPolicy",
"iam:GetContextKeysForPrincipalPolicy",
"iam:GetCredentialReport",
"iam:GetGroup",
"iam:GetGroupPolicy",
"iam:GetLoginProfile",
"iam:GetOpenIDConnectProvider",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:GetSAMLProvider",
"iam:GetSSHPublicKey",
"iam:GetServerCertificate",
"iam:GetServiceLastAccessedDetails",
"iam:GetUser",
"iam:GetUserPolicy",
"iam:List*",
"iam:Put*",
"iam:RemoveClientIDFromOpenIDConnectProvider",
"iam:RemoveRoleFromInstanceProfile",
"iam:RemoveUserFromGroup",
"iam:ResyncMFADevice",
"iam:SetDefaultPolicyVersion",
"iam:SimulateCustomPolicy",
"iam:SimulatePrincipalPolicy",
"iam:Update*"
],
"Resource": [
"*"
]
},
{
"Sid": "OpsMgrInfrastructureIaasConfiguration",
"Effect": "Allow",
"Action": [
"ec2:DescribeKeypairs",
"ec2:DescribeVpcs",
"ec2:DescribeSecurityGroups",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeAccountAttributes"
],
"Resource": "*"
},
{
"Sid": "OpsMgrInfrastructureDirectorConfiguration",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::pcf-ops-manager-bucket",
"arn:aws:s3:::pcf-ops-manager-bucket/*",
"arn:aws:s3:::pcf-buildpacks-bucket",
"arn:aws:s3:::pcf-buildpacks-bucket/*",
"arn:aws:s3:::pcf-packages-bucket",
"arn:aws:s3:::pcf-packages-bucket/*",
"arn:aws:s3:::pcf-resources-bucket",
"arn:aws:s3:::pcf-resources-bucket/*",
"arn:aws:s3:::pcf-droplets-bucket",
"arn:aws:s3:::pcf-droplets-bucket/*"
]
},
{
"Sid": "OpsMgrInfrastructureAvailabilityZones",
"Effect": "Allow",
"Action": [
"ec2:DescribeAvailabilityZones"
],
"Resource": "*"
},
{
"Sid": "OpsMgrInfrastructureNetworks",
"Effect": "Allow",
"Action": [
"ec2:DescribeSubnets"
],
"Resource": "*"
},
{
"Sid": "DeployMicroBosh",
"Effect": "Allow",
"Action": [
"ec2:DescribeImages",
"ec2:RunInstances",
"ec2:DescribeInstances",
"ec2:TerminateInstances",
"ec2:RebootInstances",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
"elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"ec2:DescribeAddresses",
"ec2:DisassociateAddress",
"ec2:AssociateAddress",
"ec2:CreateTags",
"ec2:DescribeVolumes",
"ec2:CreateVolume",
"ec2:AttachVolume",
"ec2:DeleteVolume",
"ec2:DetachVolume",
"ec2:CreateSnapshot",
"ec2:DeleteSnapshot",
"ec2:DescribeSnapshots",
"ec2:DescribeRegions"
],
"Resource": "*"
}
]
}
To perform specific tasks, you may need to add additional policies to your Policy Document field in the AWS Management Console.
Consult the table below to determine what additional policies you may want to include. Then paste the code from the corresponding row. Enter the code in your existing policy after any },.
| I need to... | So I paste this code. |
|---|---|
| Use an AWS Instance Profile instead of AWS Keys. |
{
"Sid": "AllowToGetInfoAboutCurrentInstanceProfile",
"Effect": "Allow",
"Action": [
"iam:GetInstanceProfile"
],
"Resource": [
"IAM-INSTANCE-ARN-PROFILE"
]
},
{
"Sid": "AllowToCreateInstanceWithCurrentInstanceProfile",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"IAM-OPS-MANAGER-ARN-ROLE"
]
}, Where:
|
| Encrypt EBS volumes with AWS Key Management Service (KMS). |
{
"Sid": "RequiredIfUsingHeavyStemcells",
"Effect": "Allow",
"Action": [
"ec2:RegisterImage",
"ec2:DeregisterImage"
],
"Resource": "*"
},
{
"Sid": "RequiredIfEncryptingStemcells",
"Effect": "Allow",
"Action": [
"ec2:CopyImage"
],
"Resource": "*"
},
|
| Use a custom KMS encryption key that I created in AWS. |
{
"Sid": "RequiredIfUsingCustomKMSKeys",
"Effect": "Allow",
"Action": [
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:CreateGrant",
"kms:DescribeKey*"
],
"Resource": [
"((kms_key_arn))"
]
},
|
| Use the load balancer target group. |
{
"Sid": "RequiredIfUsingLBTargetGroupCloudProperties",
"Effect": "Allow",
"Action": [
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetHealth",
"elasticloadbalancing:RegisterTargets"
],
"Resource": "*"
},
|
| Use the AWS Spot instance advisor. |
{
"Sid": "RequiredIfUsingSpotBidPriceCloudProperties",
"Effect": "Allow",
"Action": [
"ec2:CancelSpotInstanceRequests",
"ec2:DescribeSpotInstanceRequests",
"ec2:RequestSpotInstances"
],
"Resource": "*"
},
|
| Create and replace AWS routes. |
{
"Sid": "RequiredIfUsingAdvertisedRoutesCloudProperties",
"Effect": "Allow",
"Action": [
"ec2:CreateRoute",
"ec2:DescribeRouteTables",
"ec2:ReplaceRoute"
],
"Resource": "*"
},
|
For more information about AWS policies, see Example Policies in the AWS documentation.
