AWS Account - IAM Roles and Access Policies
The Amazon IAM service (see http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/UsingIAM.html) enables the creation and enforcement of access privilege policies. For the Velostrata deployment we leverage IAM Groups and Instance Roles. As a minimal setup we recommend the following configuration:
- Create an IAM Group (for example, VelosMgrGroup) for use by the Velostrata service user account. This group will enforce an access policy with the minimum privileges required by the Velostrata Manager VM on-prem, to allow provisioning and monitoring of both the Velostrata cloud-side components as well as the Velostrata Run-in-Cloud workload VMs. The Velostrata service account will be used by the Velostrata Manager VM on-prem.
- Create an IAM Role (for example, VelosEdgeRole) for use by Velostrata Cloud Edge instances. This role provides the minimum privileges required to access AWS services such as S3, without managing persistent credentials per instance.
- Create Access Policies associated with VelosMgrGroup and VelosEdgeRole with applicable minimum privileges required for the Velostrata service user and for Velostrata Cloud Edge instances.
Note: For more information on creating the AWS service user, see Creating the AWS Service User for Velostrata.