Por /

Para criar uma policy da AWS na plataforma, você precisa, primeiro, entrar no Console da AWS, através do link, criar uma nova policy clicando em “Create policy” e copiar e colar o código abaixo.

 

Policy Content

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowRunInstances",
            "Effect": "Allow",
            "Action": "ec2:RunInstances",
            "Resource": [
                "arn:aws:ec2:*::image/*",
                "arn:aws:ec2:*::snapshot/*",
                "arn:aws:ec2:*:*:subnet/*",
                "arn:aws:ec2:*:*:network-interface/*",
                "arn:aws:ec2:*:*:security-group/*",
                "arn:aws:ec2:*:*:key-pair/*"
            ]
        },
        {
            "Sid": "AllowEc2WithRestrictions",
            "Effect": "Allow",
            "Action": [
                "ec2:CreateVolume",
                "ec2:RunInstances"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:volume/*",
                "arn:aws:ec2:*:*:instance/*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:RequestTag/Owner": "1p-agent"
                },
                "ForAllValues:StringEquals": {
                    "aws:TagKeys": [
                        "Owner",
                        "Name",
                        "Environment"
                    ]
                }
            }
        },
        {
            "Sid": "AllowFunctionsWithRestrictions",
            "Effect": "Allow",
            "Action": [
                "ec2:TerminateInstances",
                "ec2:StopInstances",
                "ec2:RebootInstances",
                "ec2:StartInstances",
                "ec2:DeleteSecurityGroup",
                "ec2:AuthorizeSecurityGroupEgress",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:RevokeSecurityGroupIngress",
                "ec2:RevokeSecurityGroupEgress",
                "ec2:UpdateSecurityGroupRuleDescriptionsIngress",
                "ec2:UpdateSecurityGroupRuleDescriptionsEgress"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:instance/*",
                "arn:aws:ec2:*:*:security-group/*"
            ],
            "Condition": {
                "StringEquals": {
                    "ec2:ResourceTag/Owner": "1p-agent"
                }
            }
        },
        {
            "Sid": "AllowFunctions1p",
            "Effect": "Allow",
            "Action": [
                "ec2:CreateTags",
                "ec2:CreateSecurityGroup",
                "ec2:Describe*",
                "rds:Describe*",
                "elasticache:Describe*",
                "cloudwatch:ListMetrics",
                "cloudwatch:GetMetricStatistics"
            ],
            "Resource": "*"
        },
        {
            "Sid": "Manage1pAccessKeys",
            "Effect": "Allow",
            "Action": [
                "iam:get*"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
            "Sid": "SsmAllRegionsToAMis",
            "Effect": "Allow",
            "Action": "ssm:*",
            "Resource": [
                "arn:aws:s3:::*",
                "arn:aws:ssm:*:*:opsmetadata/*",
                "arn:aws:ec2:*:*:instance/*",
                "arn:aws:ssm:*:*:parameter/*"
            ]
        }
    ]
}

Após criar a policy, vá até ao IAM Service,
com o Console da AWS e crie um usuário chamado 1p-agent. Clique em
“Policy actions” e em “Attach” e anexe a policy no usuário 1p-agent.

 

Essa policy permite:

  • EC2 provisiona, controla e administra instances com TAG “1P”. Nosso agent não usa Keypair.

  • RDS, Elasticache, EC2, IAM, Cloudwatch e S3 in list and get requests types

  • EKS Full Access (Opcional)


Teste grátis por 14 dias
Rolar para cima