Skip to main content
Asked a question recently

How do I set Amazon AWS cloudbursting policies for Bright?

Where am I?

In Bright Computing, Inc. you can ask and answer questions and share your experience with others!

Setting Amazon AWS Cloudbursting policies



Policies in AWS are implemented from the AWS console for the region. For EU-West-1 the URL to manage policies is currently:

 
https://console.aws.amazon.com/iam/home?region=eu-west-1#policies

 
An option to "create a new policy" can be selected there.


The following restrictive policy allows a more fine-grained access to AWS resources for the cloudbursting feature of Bright Cluster Manager:

 

{
   "Version": "2012-10-17",
   "Statement": [
       {
           "Effect": "Allow",
           "Action": [
               "iam:Get*",
               "iam:List*",
               "iam:PassRole"
           ],
           "Resource": "*"
       },
       {
           "Sid": "EC2LessDangerousPermissions",
           "Effect": "Allow",
           "Action": [
               "ec2:CancelSpotInstanceRequests",
               "ec2:DescribeAccountAttributes",
               "ec2:DescribeAddresses",
               "ec2:DescribeAvailabilityZones",
               "ec2:DescribeImages",
               "ec2:DescribeInstanceStatus",
               "ec2:DescribeInstances",
               "ec2:DescribeKeyPairs",
               "ec2:DescribePlacementGroups",
               "ec2:DescribeSecurityGroups",
               "ec2:DescribeSnapshots",
               "ec2:DescribeSpotInstanceRequests",
               "ec2:DescribeSpotPriceHistory",
               "ec2:DescribeTags",
               "ec2:DescribeVolumeStatus",
               "ec2:DescribeVolumes",
               "ec2:CreateSnapshot",
               "ec2:CreateTags",
               "ec2:DescribeClassicLinkInstances",
               "ec2:DescribeInstanceAttribute",
               "ec2:RegisterImage",
               "ec2:DescribeRegions",
               "ec2:DescribeVpcs",
               "ec2:RequestSpotInstances",
               "ec2:CreatePlacementGroup",
               "ec2:DescribeInternetGateways",
               "ec2:DescribeRouteTables",
               "ec2:DescribeSubnets",
               "ec2:ModifyInstanceAttribute"
           ],
           "Resource": [
               "*"
           ]
       },
       {
           "Sid": "EC2MoreDangerousPermissions",
           "Effect": "Allow",
           "Action": [
               "ec2:GetConsoleOutput",
               "ec2:AllocateAddress",
               "ec2:AssociateAddress",
               "ec2:DisassociateAddress",
               "ec2:ReleaseAddress"
           ],
           "Resource": [
               "*"
           ]
       },
       {
           "Sid": "AllowInstanceActions",
           "Effect": "Allow",
           "Action": [
               "ec2:StartInstances",
               "ec2:RebootInstances",
               "ec2:StopInstances",
               "ec2:TerminateInstances"
           ],
           "Resource": [
               "*"
           ]
       },
       {
           "Sid": "EC2RunInstances",
           "Effect": "Allow",
           "Action": [
               "ec2:RunInstances"
           ],
           "Resource": [
               "arn:aws:ec2:*:*:instance/*"
           ]
       },
       {
           "Sid": "RemainingRunInstancePermissions",
           "Effect": "Allow",
           "Action": [
               "ec2:RunInstances"
           ],
           "Resource": [
               "arn:aws:ec2:*:*:volume/*",
               "arn:aws:ec2:*::image/ami-*",
               "arn:aws:ec2:*:*:subnet/*",
               "arn:aws:ec2:*:*:network-interface/*",
               "arn:aws:ec2:*:*:key-pair/*",
               "arn:aws:ec2:*:*:security-group/*"
           ]
       },
       {
           "Sid": "S3Permissions1",
           "Effect": "Allow",
           "Action": [
               "s3:GetBucketLocation",
               "s3:ListAllMyBuckets"
           ],
           "Resource": "arn:aws:s3:::*"
       },
       {
           "Sid": "S3Permissions2",
           "Effect": "Allow",
           "Action": [
               "s3:CreateBucket",
               "s3:DeleteBucket",
               "s3:GetObject",
               "s3:ListBucket",
               "s3:PutObject"
           ],
           "Resource": [
               "arn:aws:s3:::*"
           ]
       },
       {
           "Sid": "EBS",
           "Effect": "Allow",
           "Action": [
               "ec2:AttachVolume",
               "ec2:CreateVolume",
               "ec2:DeleteVolume",
               "ec2:DetachVolume"
           ],
           "Resource": [
               "*"
           ]
       }
   ]
}