Set up AWS Identity Access Management (IAM) users

If you are using IAM to manage users in AWS, you must create a user profile in IAM that is designed for use by the instance.

Before you begin

Familiarize yourself with the AWS documentation on IAM. You must know how to create an IAM user and set up a user policy.

Procedure

  1. Log in to the AWS Management Console and create a new user in IAM.
    You must have the access key automatically generated. You need this key when you configure AWS credentials in the instance.
  2. Save the Access Key ID and Secret Access Key.
  3. Open the user record in the instance for appropriate user.
  4. Define a user policy in AWS using either of the following methods:
    • Grant Administrator Access to the instance, which is essentially the same access that would be granted to the instance if you were not using IAM and simply used your AWS account Access Key ID and Secret Access Key. Attach the AdministratorAccess policy to the user profile.
      Note: If you want to create a user policy that only supports Discovery rather than the provisioning of cloud resources, attach the ReadOnlyAccess policy instead.
    • Create a custom policy with a descriptive name and the following code in the Policy Document field in the user policy:
      {
          "Version": "2012-10-17",
          "Statement": [{
              "Action": "cloudfront:*",
              "Effect": "Allow",
              "Resource": "*"
          }, {
              "Action": "s3:*",
              "Effect": "Allow",
              "Resource": "arn:aws:s3:::*"
          }, {
              "Action": "elasticloadbalancing:*",
              "Effect": "Allow",
              "Resource": "*"
          }, {
              "Action": "sqs:*",
              "Effect": "Allow",
              "Resource": "arn:aws:sqs:*"
          }, {
              "Action": "rds:*",
              "Effect": "Allow",
              "Resource": "*"
          }, {
              "Action": "sns:*",
              "Effect": "Allow",
              "Resource": "arn:aws:sns:*"
          }, {
              "Action": "ec2:*",
              "Effect": "Allow",
              "Resource": "*"
          }, {
              "Action": "cloudformation:*",
              "Effect": "Allow",
              "Resource": "*"
          }, {
              "Action": "directconnect:*",
              "Effect": "Allow",
              "Resource": "*"
          }, {
              "Action": "route53:*",
      
              "Effect": "Allow",
              "Resource": "arn:aws:route53:::*"
          }, {
              "Action": ["iam:DeleteServerCertificate", "iam:GetServerCertificate", "iam:ListServerCertificates", "iam:UpdateServerCertificate", "iam:UploadServerCertificate"],
              "Effect": "Allow",
              "Resource": "arn:aws:iam::*:server-certificate\/*"
          }]
      }
      

What to do next

Create a service account with the AWS Account Number, the Access Key ID, and the Secret Access Key for the user you created in AWS.