Setting Amazon AWS Cloudbursting policies
Policies in AWS are implemented from the AWS console for the region. For EU-West-1 the URL to manage policies is currently:
https://console.aws.amazon.com/iam/home?region=eu-west-1#policies1
An option to "create a new policy" can be selected there.
The following restrictive policy allows a more fine-grained access to AWS resources for the cloudbursting feature of Bright Cluster Manager:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iam:Get*", "iam:List*", "iam:PassRole" ], "Resource": "*" }, { "Sid": "EC2LessDangerousPermissions", "Effect": "Allow", "Action": [ "ec2:CancelSpotInstanceRequests", "ec2:DescribeAccountAttributes", "ec2:DescribeAddresses", "ec2:DescribeAvailabilityZones", "ec2:DescribeImages", "ec2:DescribeInstanceStatus", "ec2:DescribeInstances", "ec2:DescribeKeyPairs", "ec2:DescribePlacementGroups", "ec2:DescribeSecurityGroups", "ec2:DescribeSnapshots", "ec2:DescribeSpotInstanceRequests", "ec2:DescribeSpotPriceHistory", "ec2:DescribeTags", "ec2:DescribeVolumeStatus", "ec2:DescribeVolumes", "ec2:CreateSnapshot", "ec2:CreateTags", "ec2:DescribeClassicLinkInstances", "ec2:DescribeInstanceAttribute", "ec2:RegisterImage", "ec2:DescribeRegions", "ec2:DescribeVpcs", "ec2:RequestSpotInstances", "ec2:CreatePlacementGroup", "ec2:DescribeInternetGateways", "ec2:DescribeRouteTables", "ec2:DescribeSubnets", "ec2:ModifyInstanceAttribute" ], "Resource": [ "*" ] }, { "Sid": "EC2MoreDangerousPermissions", "Effect": "Allow", "Action": [ "ec2:GetConsoleOutput", "ec2:AllocateAddress", "ec2:AssociateAddress", "ec2:DisassociateAddress", "ec2:ReleaseAddress" ], "Resource": [ "*" ] }, { "Sid": "AllowInstanceActions", "Effect": "Allow", "Action": [ "ec2:StartInstances", "ec2:RebootInstances", "ec2:StopInstances", "ec2:TerminateInstances" ], "Resource": [ "*" ] }, { "Sid": "EC2RunInstances", "Effect": "Allow", "Action": [ "ec2:RunInstances" ], "Resource": [ "arn:aws:ec2:*:*:instance/*" ] }, { "Sid": "RemainingRunInstancePermissions", "Effect": "Allow", "Action": [ "ec2:RunInstances" ], "Resource": [ "arn:aws:ec2:*:*:volume/*", "arn:aws:ec2:*::image/ami-*", "arn:aws:ec2:*:*:subnet/*", "arn:aws:ec2:*:*:network-interface/*", "arn:aws:ec2:*:*:key-pair/*", "arn:aws:ec2:*:*:security-group/*" ] }, { "Sid": "S3Permissions1", "Effect": "Allow", "Action": [ "s3:GetBucketLocation", "s3:ListAllMyBuckets" ], "Resource": "arn:aws:s3:::*" }, { "Sid": "S3Permissions2", "Effect": "Allow", "Action": [ "s3:CreateBucket", "s3:DeleteBucket", "s3:GetObject", "s3:ListBucket", "s3:PutObject" ], "Resource": [ "arn:aws:s3:::*" ] }, { "Sid": "EBS", "Effect": "Allow", "Action": [ "ec2:AttachVolume", "ec2:CreateVolume", "ec2:DeleteVolume", "ec2:DetachVolume" ], "Resource": [ "*" ] } ]}