1. Inside AWS Console, go to policies in this Link.

  2. Create a new Policy with the content below

  3. Go to IAM Service within AWS Console and create a user called 1p-agent.

  4. Attach the Policy to the 1p-agent user (screenshots below)

Policy Content

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowRunInstances",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:*::image/*",
"arn:aws:ec2:*::snapshot/*",
"arn:aws:ec2:*:*:subnet/*",
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:key-pair/*"
]
},
{
"Sid": "AllowEc2WithRestrictions",
"Effect": "Allow",
"Action": [
"ec2:CreateVolume",
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:instance/*"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/Owner": "1p-agent"
},
"ForAllValues:StringEquals": {
"aws:TagKeys": [
"Owner",
"Name",
"Environment"
]
}
}
},
{
"Sid": "AllowFunctionsWithRestrictions",
"Effect": "Allow",
"Action": [
"ec2:TerminateInstances",
"ec2:StopInstances",
"ec2:RebootInstances",
"ec2:StartInstances",
"ec2:DeleteSecurityGroup",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupIngress",
"ec2:RevokeSecurityGroupEgress",
"ec2:UpdateSecurityGroupRuleDescriptionsIngress",
"ec2:UpdateSecurityGroupRuleDescriptionsEgress"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:security-group/*"
],
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Owner": "1p-agent"
}
}
},
{
"Sid": "AllowFunctions1p",
"Effect": "Allow",
"Action": [
"ec2:CreateTags",
"ec2:CreateSecurityGroup",
"ec2:Describe*",
"rds:Describe*",
"elasticache:Describe*",
"cloudwatch:ListMetrics",
"cloudwatch:GetMetricStatistics"
],
"Resource": "*"
},
{
"Sid": "Manage1pAccessKeys",
"Effect": "Allow",
"Action": [
"iam:get*"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "SsmAllRegionsToAMis",
"Effect": "Allow",
"Action": "ssm:*",
"Resource": [
"arn:aws:s3:::*",
"arn:aws:ssm:*:*:opsmetadata/*",
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ssm:*:*:parameter/*"
]
}
]
}

This policy Allows:

  • EC2 Provisioning, control and manage instances with TAG “1P”. Our agent doesn’t use a Keypair.

  • RDS, Elasticache, EC2, IAM, Cloudwatch and S3 in list and get requests types

  • EKS Full Access (Optionally)



Did this answer your question?