Simple ParkMyCloud Policies for IAM Roles or IAM Users

Simple ParkMyCloud Policies for IAM Roles or IAM Users


Here are a few simple policies you can attach to your IAM Roles or IAM Users, which grant them the minimum permissions necessary to run ParkMyCloud.

You can use any of these as an Inline Policy for specific users or groups, or you can create this as a Managed Policy within AWS, which can be attached to users, groups and roles.


The three policies below each do almost the exact same thing, but in several different ways.

Simple ParkMyCloud IAM Policy

This sample policy provides the simplest set of minimum polices needed by the system.

{
    "Version": "2012-10-17",
    "Statement": [
      {
         "Action": [
            "autoscaling:Describe*",
            "autoscaling:UpdateAutoScalingGroup",
            "autoscaling:SuspendProcesses",
            "autoscaling:ResumeProcesses",
            "ec2:Describe*",
            "ec2:StartInstances",
            "ec2:StopInstances",
            "iam:GetUser",
            "rds:DescribeDBInstances",
            "rds:ListTagsForResource",
            "rds:StartDBInstance",
            "rds:StopDBInstance",
            "logs:DescribeLogGroups",
            "logs:DescribeLogStreams",
            "logs:GetLogEvents",
            "logs:TestMetricFilter",
            "logs:FilterLogEvents",
            "cloudwatch:GetMetricStatistics",
            "cloudwatch:ListMetrics"
         ],
         "Resource": "*",
         "Effect": "Allow"
      }
    ]
}

Recommended ParkMyCloud IAM Policy 

This policy provides more granular control over what resources may be accessed by each section of the policy.  This is our recommended policy, with the best balance of security and simplicity.  This version also introduces an optional section with the permission needed for ParkMyCloud to start instances with encrypted boot drives.

{
    "Version": "2012-10-17",
    "Statement": [
      {
         "Sid": "ParkMyCloudManagement",
         "Action": [
            "autoscaling:Describe*",
            "autoscaling:UpdateAutoScalingGroup",
            "autoscaling:SuspendProcesses",
            "autoscaling:ResumeProcesses",
            "ec2:Describe*",
            "ec2:StartInstances",
            "ec2:StopInstances",
            "iam:GetUser",
            "rds:DescribeDBInstances",
            "rds:ListTagsForResource",
            "rds:StartDBInstance",
            "rds:StopDBInstance"
         ],
         "Resource": "*",
         "Effect": "Allow"
      },{
         "Sid":"ParkMyCloudStartInstanceWithEncryptedBoot",
            "Effect": "Allow",
            "Action": "kms:CreateGrant",
            "Resource": "*"
      },{
         "Sid": "ParkMyCloudLogsAccess",
         "Effect": "Allow",
         "Action": [
            "logs:DescribeLogGroups",
            "logs:DescribeLogStreams",
            "logs:GetLogEvents",
            "logs:TestMetricFilter",
            "logs:FilterLogEvents"
         ],
         "Resource": "arn:aws:logs:*:*:*"
      },{
         "Sid": "ParkMyCloudCloudWatchAccess",
         "Effect": "Allow",
         "Action": [
            "cloudwatch:GetMetricStatistics",
            "cloudwatch:ListMetrics"
         ],
         "Resource": "*",
         "Condition": {
            "Bool": {
               "aws:SecureTransport": "true"
            }
         }
      }
    ]
}

ParkMyCloud IAM Policy with Tagging

This next policy is very similar, but leverages a special tag "parkmycloud:yes" to grant permissions to park instances. (Of course you can substitute any tag key:value pair you prefer, instead.) If the instance does not have the specified tag, then the user will NOT be allowed to park the instance.

PLEASE NOTE: This tag only constrains ec2 instances. It does NOT restrict updating of autoscaling groups.

{
    "Version": "2012-10-17",
    "Statement": [{
            "Sid": "ParkMyCloudTaggedOnly",
            "Action": [
                "ec2:StartInstances",
                "ec2:StopInstances"
            ],
            "Condition": {
                "StringEquals": {
                    "ec2:ResourceTag/parkmycloud": "yes"
                }
            },
            "Resource": [
                "*"
            ],
            "Effect": "Allow"
        }, {
            "Sid": "ParkMyCloudManagement",
            "Action": [
                "autoscaling:Describe*",
                "autoscaling:UpdateAutoScalingGroup",
                "autoscaling:SuspendProcesses",
                "autoscaling:ResumeProcesses",
                "ec2:Describe*",
                "iam:GetUser",
                "rds:DescribeDBInstances",
                "rds:ListTagsForResource",
                "rds:StartDBInstance",
                "rds:StopDBInstance"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }, {
            "Sid": "ParkMyCloudStartInstanceWithEncryptedBoot",
            "Effect": "Allow",
            "Action": "kms:CreateGrant",
            "Resource": "*"
        }, {
            "Sid": "ParkMyCloudLogsAccess",
            "Effect": "Allow",
            "Action": [
                "logs:DescribeLogGroups",
                "logs:DescribeLogStreams",
                "logs:GetLogEvents",
                "logs:TestMetricFilter",
                "logs:FilterLogEvents"
            ],
            "Resource": "arn:aws:logs:*:*:*"
        }, {
            "Sid": "ParkMyCloudCloudWatchAccess",
            "Effect": "Allow",
            "Action": [
                "cloudwatch:GetMetricStatistics",
                "cloudwatch:ListMetrics"
            ],
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "true"
                }
            }
        }
    ]
}


Notes regarding the ParkMyCloud AWS IAM Role Policies

The IAM Role policies above are broken into a number of sections, each headed by a section identifier or SID.  The SID has no effect on the policy.  Each of these sections serves a specific purpose, enabling different ParkMyCloud features.   The purpose of each section is detailed below.
  • ParkMyCloudManagement: This section contains the basic permissions that allow the ParkMyCloud server to get a list of your EC2 instances, auto-scale groups, RDS databases, etc., and then start and stop them based on your schedules or command.
  • ParkMyCloudStartInstanceWithEncryptedBoot: This section is used in conjunction with the previous section to allow for starting EC2 instances with encrypted boot storage. This section can be removed if you do not have encrypted boot volumes. Some customers have reported this permission is also needed under certain other circumstances where ParkMyCloud is able to STOP an instance using a schedule, but is unable to START it.
  • ParkMyCloudLogsAccess: Allows ParkMyCloud to gather instance launch/start/stop/terminate and other such instance lifespan logs. Used to generate reports, calculate estimated costs and savings, and gather metrics needed to create recommendations for rightsizing and parking schedules.
  • ParkMyCloudCloudWatchAccess: Allows access to resource performance metrics needed to create recommendations for rightsizing and parking schedules.

    • Related Articles

    • For Users: How to Add an AWS Account to ParkMyCloud Using IAM Roles

      With the release of v2.3, ParkMyCloud supports adding AWS accounts to the application using IAM Roles. This instructional video walks you through the process.

    • Setting Up OneLogin As An IdP Server for ParkMyCloud

      The purpose of this article is to guide you in setting up OneLogin as an Identity Provider (IdP).  For more information, consult the OneLogin Documentation. ​Spoiler Alert: Using the semi-automated configuration approach (uploading an IdP metadata ...

    • Setting Up Ping Identity As An IdP Server for ParkMyCloud

      The purpose of this article is to guide you in setting up Ping as an Identity Provider (IdP). In this example we will use PingOne for SaaS applications. For more information, consult the  Ping Documentation. To start with, log in to ParkMyCloud as a ...

    • How to Create a Dedicated ParkMyCloud IAM User within AWS

      How to Create a Dedicated ParkMyCloud IAM User within AWS The procedure outlined below, will help you create a dedicated IAM user within AWS, which sits outside of any groups and is locked down to very restrictive policies. You can use a credential ...

    • For AWS Admins: How to Create an IAM Role in AWS for ParkMyCloud

      If you are new to creating IAM Roles within the AWS console, here is an instructional video on how to create a role within your AWS account for the ParkMyCloud application. A couple of things to note:  IAM Roles are the preferred approach by AWS When ...