AWS IAM Roles and Access
AWS Account - IAM Roles and Access Policies
The Amazon IAM service (see http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/UsingIAM.html) enables the creation and enforcement of access privilege policies. For the Velostrata deployment we leverage IAM Groups and Instance Roles. As a minimal setup we recommend the following configuration:
- Create an IAM Group (for example, VelosMgrGroup) for use by the Velostrata service user account. This group will enforce an access policy with the minimum privileges required by the Velostrata Manager VM on-prem, to allow provisioning and monitoring of both the Velostrata cloud-side components as well as the Velostrata Run-in-Cloud workload VMs. The Velostrata service account will be used by the Velostrata Manager VM on-prem.
- Create an IAM Role (for example, VelosEdgeRole) for use by Velostrata Cloud Edge instances. This role provides the minimum privileges required to access AWS services such as S3, without managing persistent credentials per instance.
- Create Access Policies associated with VelosMgrGroup and VelosEdgeRole with applicable minimum privileges required for the Velostrata service user and for Velostrata Cloud Edge instances.
Note: there are scripts you can use to automate some of these procedures at the bottom of this article in the 'Reference Templates' section.
To create the AWS service group and users for Velostrata:
- In the AWS console, click on your account name in the top right corner of the page, and then select Security Credentials.
- On the left pane, select Users and then click Create New Users.
- For Access type, select Programmatic access. Download the user credentials (Keys). These keys will be used when creating the Velostrata Cloud Extension.
- Assign the IAM user you have created to the group called VelosMgrGroup, which was created by the CloudFormation script.
For an easier deployment and efficient auditing, Velostrata provides reference CloudFormation templates that help create the VPC, subnets, routing tables and security groups as well as define the required policies and IAM resources in a VPC of your choice. You may download and use the following templates directly with the AWS console > CloudFormation service > Create Stack wizard.
Note: With the templates below, no VPN is configured. Google Cloud Platform offers several options for network connectivity depending on user requirements, including Cloud IPSec VPN, Cloud Dedicated Interconnect, and Carrier Peering. For more information on the choosing and configuring these options, please see the Google Cloud Interconnect documentation.