(AWS) Service Account Policy Management
Details of API Security policy to use SpaceONE plugin
Service Account Policy
Before create Service Account, User can modify your existing API policy.
This will guarantee isolation your resource from other non power-scheduled items. Also prevent malfunction from mis configuration of power scheduling.
To Create API for each use case. follow directions below.
In case of internal regulations, create a policy below then attach when creating API user.
General Collector
Collector do not need to have authority other than read permission. So we strongly recommend to restrict its permission to read only access.
Otherwise, User can add more restrictions like regional and resource base. One of the useful example is to restrict its rights within region.
In order to experience powerful function of SpaceONE collectors. Use the managed ReadOnly policy is preferred.
Step 1. Log in AWS Console > IAM
Go to IAM > Users > Add user
Step 2. Set User Details
Enter User name, Set access type to Programmatic access
Step 3. Set API Permission
Set Permission to ReadOnlyAccess(Managed Policy)
Click Attach existing policies directly . Enter readonly keyword in policy search bar.
Select ReadOnlyAccess managed policy as below.
Step 4. Add tags
You can skip this process and move to next.
SpaceONE collector does not related to tags in IAM.
Step 5. Review
Check the details you added. Then click Create users right down of page
Step 6. Copy Key Pair
IAM key pair created, Be sure to copy the Access key ID/Secret access key and keep it safely.
If you skip to copy, there is no chance to have it again(Do from step 1 again).
PowerScheduler
Suggested IAM policy for each cloud provider to use SpaceONE Power Scheduler service are below.
Step 1. Create Policy
Go to IAM > Policies > Create policy
Step 2. Attach Policy Definitions
Move to JSON tab, attach policy definition below. Then click Review policy
Step 3. Review Policy
Enter policy name and description, Then click Create policy
Step 4. Log in AWS Console > IAM
Go to IAM > Users > Add user
Step 5. Set User Detail
Enter User name, Set access type to Programmatic access
Step 6. Set API Permission
Add all policies below. They should included to guarantee successful action.
AmazonDynamoDBReadOnlyAccess
AmazonEC2ReadOnlyAccess
AmazonRDSReadOnlyAccess
AutoScalingReadOnlyAccess
Policy created in step 3
Step 7. Review
Make sure all the permission from Step 4. included, Then click Create user
Step 8. Copy Key Pair
IAM key pair created, Be sure to copy the Access key ID/Secret access key and keep it safely.
If you skip to copy, there is no chance to have it again(Do from step 1 again).
AWS Personal Health Dashboard/Trusted Advisor
To use aws advanced collector like AWS Personal Health Dashboard/Trusted Advisor
User account support level should be over business and additional IAM policy need to be attached.
Step 1. Create Policy
Go to IAM > Policies > Create policy
Step 2. Attach Policy Definitions
Move to JSON tab, attach policy definition below. Then click Review policy
Step 3. Review Policy
Enter name and description. Then click Create policy.
Step 4. Log in AWS Console > IAM
Go to IAM > Users > Add user
Step 5. Set User Detail
Enter User name, Set access type to Programmatic access
Step 6. Set API Permission
Add all policies below. They should included to guarantee successful action.
Step 7. Review
Make sure all the permission from Step 4. included, Then click Create user
Step 8. Copy Key Pair
IAM key pair created, Be sure to copy the Access key ID/Secret access key and keep it safely.
If you skip to copy, there is no chance to have it again(Do from step 1 again).
Overall IAM Policy Superset
If user can use managed policy, Refer to policy below.
Region Code in Resource parameter need to be changed. AWS Region Code or * character is available.
Last updated
