ParkMyCloud, Inc

            Simple ParkMyCloud Policies for IAM Roles or IAM Users


            Here are a few simple policies you can attach to your IAM Roles or IAM Users, which grant them the minimum permissions necessary to run ParkMyCloud.

            You can use any of these as an Inline Policy for specific users or groups, or you can create this as a Managed Policy within AWS, which can be attached to users, groups and roles.


            The three policies below each do almost the exact same thing, but in several different ways.

            Simple ParkMyCloud IAM Policy

            This sample policy provides the simplest set of minimum polices needed by the system.

            {
                "Version": "2012-10-17",
                "Statement": [
                  {
                     "Action": [
                        "autoscaling:Describe*",
                        "autoscaling:UpdateAutoScalingGroup",
                        "autoscaling:SuspendProcesses",
                        "autoscaling:ResumeProcesses",
                        "ec2:Describe*",
                        "ec2:StartInstances",
                        "ec2:StopInstances",
                        "iam:GetUser",
                        "rds:DescribeDBInstances",
                        "rds:ListTagsForResource",
                        "rds:StartDBInstance",
                        "rds:StopDBInstance",
                        "logs:DescribeLogGroups",
                        "logs:DescribeLogStreams",
                        "logs:GetLogEvents",
                        "logs:TestMetricFilter",
                        "logs:FilterLogEvents",
                        "cloudwatch:GetMetricStatistics",
                        "cloudwatch:ListMetrics"
                     ],
                     "Resource": "*",
                     "Effect": "Allow"
                  }
                ]
            }

            Recommended ParkMyCloud IAM Policy 

            This policy provides more granular control over what resources may be accessed by each section of the policy.  This is our recommended policy, with the best balance of security and simplicity.  This version also introduces an optional section with the permission needed for ParkMyCloud to start instances with encrypted boot drives.

            {
                "Version": "2012-10-17",
                "Statement": [
                  {
                     "Sid": "ParkMyCloudManagement",
                     "Action": [
                        "autoscaling:Describe*",
                        "autoscaling:UpdateAutoScalingGroup",
                        "autoscaling:SuspendProcesses",
                        "autoscaling:ResumeProcesses",
                        "ec2:Describe*",
                        "ec2:StartInstances",
                        "ec2:StopInstances",
                        "iam:GetUser",
                        "rds:DescribeDBInstances",
                        "rds:ListTagsForResource",
                        "rds:StartDBInstance",
                        "rds:StopDBInstance"
                     ],
                     "Resource": "*",
                     "Effect": "Allow"
                  },{
                     "Sid":"ParkMyCloudStartInstanceWithEncryptedBoot",
                        "Effect": "Allow",
                        "Action": "kms:CreateGrant",
                        "Resource": "*"
                  },{
                     "Sid": "ParkMyCloudLogsAccess",
                     "Effect": "Allow",
                     "Action": [
                        "logs:DescribeLogGroups",
                        "logs:DescribeLogStreams",
                        "logs:GetLogEvents",
                        "logs:TestMetricFilter",
                        "logs:FilterLogEvents"
                     ],
                     "Resource": "arn:aws:logs:*:*:*"
                  },{
                     "Sid": "ParkMyCloudCloudWatchAccess",
                     "Effect": "Allow",
                     "Action": [
                        "cloudwatch:GetMetricStatistics",
                        "cloudwatch:ListMetrics"
                     ],
                     "Resource": "*",
                     "Condition": {
                        "Bool": {
                           "aws:SecureTransport": "true"
                        }
                     }
                  }
                ]
            }

            ParkMyCloud IAM Policy with Tagging

            This next policy is very similar, but leverages a special tag "parkmycloud:yes" to grant permissions to park instances. (Of course you can substitute any tag key:value pair you prefer, instead.) If the instance does not have the specified tag, then the user will NOT be allowed to park the instance.

            PLEASE NOTE: This tag only constrains ec2 instances. It does NOT restrict updating of autoscaling groups.

            {
                "Version": "2012-10-17",
                "Statement": [{
                        "Sid": "ParkMyCloudTaggedOnly",
                        "Action": [
                            "ec2:StartInstances",
                            "ec2:StopInstances"
                        ],
                        "Condition": {
                            "StringEquals": {
                                "ec2:ResourceTag/parkmycloud": "yes"
                            }
                        },
                        "Resource": [
                            "*"
                        ],
                        "Effect": "Allow"
                    }, {
                        "Sid": "ParkMyCloudManagement",
                        "Action": [
                            "autoscaling:Describe*",
                            "autoscaling:UpdateAutoScalingGroup",
                            "autoscaling:SuspendProcesses",
                            "autoscaling:ResumeProcesses",
                            "ec2:Describe*",
                            "iam:GetUser",
                            "rds:DescribeDBInstances",
                            "rds:ListTagsForResource",
                            "rds:StartDBInstance",
                            "rds:StopDBInstance"
                        ],
                        "Resource": "*",
                        "Effect": "Allow"
                    }, {
                        "Sid": "ParkMyCloudStartInstanceWithEncryptedBoot",
                        "Effect": "Allow",
                        "Action": "kms:CreateGrant",
                        "Resource": "*"
                    }, {
                        "Sid": "ParkMyCloudLogsAccess",
                        "Effect": "Allow",
                        "Action": [
                            "logs:DescribeLogGroups",
                            "logs:DescribeLogStreams",
                            "logs:GetLogEvents",
                            "logs:TestMetricFilter",
                            "logs:FilterLogEvents"
                        ],
                        "Resource": "arn:aws:logs:*:*:*"
                    }, {
                        "Sid": "ParkMyCloudCloudWatchAccess",
                        "Effect": "Allow",
                        "Action": [
                            "cloudwatch:GetMetricStatistics",
                            "cloudwatch:ListMetrics"
                        ],
                        "Resource": "*",
                        "Condition": {
                            "Bool": {
                                "aws:SecureTransport": "true"
                            }
                        }
                    }
                ]
            }


            Notes regarding the ParkMyCloud AWS IAM Role Policies

            The IAM Role policies above are broken into a number of sections, each headed by a section identifier or SID.  The SID has no effect on the policy.  Each of these sections serves a specific purpose, enabling different ParkMyCloud features.   The purpose of each section is detailed below.
            • ParkMyCloudManagement: This section contains the basic permissions that allow the ParkMyCloud server to get a list of your EC2 instances, auto-scale groups, RDS databases, etc., and then start and stop them based on your schedules or command.
            • ParkMyCloudStartInstanceWithEncryptedBoot: This section is used in conjunction with the previous section to allow for starting EC2 instances with encrypted boot storage. This section can be removed if you do not have encrypted boot volumes. Some customers have reported this permission is also needed under certain other circumstances where ParkMyCloud is able to STOP an instance using a schedule, but is unable to START it.
            • ParkMyCloudLogsAccess: Allows ParkMyCloud to gather instance launch/start/stop/terminate and other such instance lifespan logs. Used to generate reports, calculate estimated costs and savings, and gather metrics needed to create recommendations for rightsizing and parking schedules.
            • ParkMyCloudCloudWatchAccess: Allows access to resource performance metrics needed to create recommendations for rightsizing and parking schedules.

            Updated: 20 Nov 2017 12:34 PM
            Helpful?  
            Help us to make this article better
            0 0
            1 Comments