Codiac AWS User Prerequisites
Before you use Codiac with Amazon Web Services (AWS), you need the following:
- An AWS user created with IAM credentials (not through the IAM Identity Center).
- The AWS user's AWS credentials, Access ID, and Secret Key.
- The user must have enough permissions to create S3 buckets and perform other networking and account tasks.
- Optional: An AWS account Elastic Container Registry (ECR) access and login.
Managed Policies
The easiest route is to give this user account the Managed Policy of AdministratorAccess. This Managed Policy provides the account full access to your AWS account.
danger
A user account with full access to your AWS account is fine for getting started. We do NOT recommend this level of access for a production account.
Least Privilege
warning
AWS privilege settings are constantly shifting. We cannot provide support for navigating the AWS IAM system.
For production usage, we recommend you follow the standard security advice of granting "least privilege" to the AWS user account.
The following is the "least privilege" access requirement policy for a Codiac AWS account as of June, 2024.
info
This is the product of the fine collaborative effort with our customer R. Singh of Amniscient - many thanks!
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CodiacAdminCustomPolicyAutoscaling",
"Effect": "Allow",
"Action": [
"autoscaling:CreateAutoScalingGroup",
"autoscaling:CreateLaunchConfiguration",
"autoscaling:DeleteAutoScalingGroup",
"autoscaling:DeleteLaunchConfiguration",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeAutoScalingInstances",
"autoscaling:DescribeLaunchConfigurations",
"autoscaling:TerminateInstanceInAutoScalingGroup",
"autoscaling:UpdateAutoScalingGroup"
],
"Resource": "*"
},
{
"Sid": "CodiacAdminCustomPolicyEC2",
"Effect": "Allow",
"Action": [
"ec2:AllocateAddress",
"ec2:AssociateRouteTable",
"ec2:AttachInternetGateway",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateInternetGateway",
"ec2:CreateLaunchTemplate",
"ec2:CreateNatGateway",
"ec2:CreateRoute",
"ec2:CreateRouteTable",
"ec2:CreateSecurityGroup",
"ec2:CreateSubnet",
"ec2:CreateTags",
"ec2:CreateVpc",
"ec2:DeleteInternetGateway",
"ec2:DeleteLaunchTemplate",
"ec2:DeleteNatGateway",
"ec2:DeleteRoute",
"ec2:DeleteRouteTable",
"ec2:DeleteSecurityGroup",
"ec2:DeleteSubnet",
"ec2:DeleteTags",
"ec2:DeleteVpc",
"ec2:DescribeAddresses",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeImages",
"ec2:DescribeInstanceStatus",
"ec2:DescribeInstanceTypes",
"ec2:DescribeInternetGateways",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeNatGateways",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroupReferences",
"ec2:DescribeSecurityGroupRules",
"ec2:DescribeSecurityGroups",
"ec2:DescribeStaleSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeTags",
"ec2:DescribeVpcs",
"ec2:DetachInternetGateway",
"ec2:DisassociateRouteTable",
"ec2:GetSecurityGroupsForVpc",
"ec2:ModifySecurityGroupRules",
"ec2:ModifySubnetAttribute",
"ec2:ModifyVpcAttribute",
"ec2:ReleaseAddress",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:RunInstances",
"ec2:TerminateInstances",
"ec2:UpdateSecurityGroupRuleDescriptionsEgress",
"ec2:UpdateSecurityGroupRuleDescriptionsIngress",
"ec2:createlaunchtemplateversion",
"ec2:deletelaunchtemplateversions",
"ec2:describelaunchtemplateversions",
"ec2:modifylaunchtemplate"
],
"Resource": "*"
},
{
"Sid": "CodiacAdminCustomPolicyEKS",
"Effect": "Allow",
"Action": [
"eks:CreateCluster",
"eks:CreateNodegroup",
"eks:DeleteCluster",
"eks:DeleteNodegroup",
"eks:DescribeCluster",
"eks:DescribeNodegroup",
"eks:ListClusters",
"eks:ListNodegroups",
"eks:TagResource",
"eks:UntagResource",
"eks:UpdateClusterConfig",
"eks:UpdateClusterVersion",
"eks:UpdateNodegroupConfig",
"eks:UpdateNodegroupVersion"
],
"Resource": "*"
},
{
"Sid": "CodiacAdminCustomPolicyELB",
"Effect": "Allow",
"Action": [
"elasticloadbalancing:AddTags",
"elasticloadbalancing:CreateLoadBalancer",
"elasticloadbalancing:DeleteLoadBalancer",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:RemoveTags"
],
"Resource": "*"
},
{
"Sid": "CodiacAdminCustomPolicyIAM",
"Effect": "Allow",
"Action": [
"iam:AddRoleToInstanceProfile",
"iam:AttachRolePolicy",
"iam:CreateInstanceProfile",
"iam:CreatePolicy",
"iam:DeleteInstanceProfile",
"iam:DetachRolePolicy",
"iam:GetInstanceProfile",
"iam:GetRole",
"iam:List*",
"iam:PutRolePolicy",
"iam:RemoveRoleFromInstanceProfile",
"iam:TagRole"
],
"Resource": "*"
},
{
"Sid": "CodiacAdminCustomPolicyIAMRestricted",
"Effect": "Allow",
"Action": [
"iam:CreateRole",
"iam:DeletePolicy",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::<AWS-ACCOUNT-ID>:policy/codiac*",
"arn:aws:iam::<AWS-ACCOUNT-ID>:role/codiac*"
]
},
{
"Sid": "CodiacAdminCustomPolicyTag",
"Effect": "Allow",
"Action": [
"tag:GetResources",
"tag:TagResources",
"tag:UntagResources"
],
"Resource": "*"
}
]
}