1. Inside AWS Console, go to policies in this Link.
  2. Create a new Policy with the content below
  3. Go to IAM Service within AWS Console and create a user called 1p-agent.
  4. Attach the Policy to the 1p-agent user (screenshots below)


Policy Content


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowRunInstances",
            "Effect": "Allow",
            "Action": "ec2:RunInstances",
            "Resource": [
                "arn:aws:ec2:*::image/*",
                "arn:aws:ec2:*::snapshot/*",
                "arn:aws:ec2:*:*:subnet/*",
                "arn:aws:ec2:*:*:network-interface/*",
                "arn:aws:ec2:*:*:security-group/*",
                "arn:aws:ec2:*:*:key-pair/*"
            ]
        },
        {
            "Sid": "AllowEc2WithRestrictions",
            "Effect": "Allow",
            "Action": [
                "ec2:CreateVolume",
                "ec2:RunInstances"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:volume/*",
                "arn:aws:ec2:*:*:instance/*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:RequestTag/Owner": "1p-agent"
                },
                "ForAllValues:StringEquals": {
                    "aws:TagKeys": [
                        "Owner",
                        "Name",
                        "Environment"
                    ]
                }
            }
        },
        {
            "Sid": "AllowFunctionsWithRestrictions",
            "Effect": "Allow",
            "Action": [
                "ec2:TerminateInstances",
                "ec2:StopInstances",
                "ec2:RebootInstances",
                "ec2:StartInstances",
                "ec2:DeleteSecurityGroup",
                "ec2:AuthorizeSecurityGroupEgress",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:RevokeSecurityGroupIngress",
                "ec2:RevokeSecurityGroupEgress",
                "ec2:UpdateSecurityGroupRuleDescriptionsIngress",
                "ec2:UpdateSecurityGroupRuleDescriptionsEgress"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:instance/*",
                "arn:aws:ec2:*:*:security-group/*"
            ],
            "Condition": {
                "StringEquals": {
                    "ec2:ResourceTag/Owner": "1p-agent"
                }
            }
        },
        {
            "Sid": "AllowFunctions1p",
            "Effect": "Allow",
            "Action": [
                "ec2:CreateTags",
                "ec2:CreateSecurityGroup",
                "ec2:Describe*",
                "rds:Describe*",
                "elasticache:Describe*",
                "cloudwatch:ListMetrics",
                "cloudwatch:GetMetricStatistics"
            ],
            "Resource": "*"
        },
        {
            "Sid": "Manage1pAccessKeys",
            "Effect": "Allow",
            "Action": [
                "iam:get*"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
            "Sid": "SsmAllRegionsToAMis",
            "Effect": "Allow",
            "Action": "ssm:*",
            "Resource": [
                "arn:aws:s3:::*",
                "arn:aws:ssm:*:*:opsmetadata/*",
                "arn:aws:ec2:*:*:instance/*",
                "arn:aws:ssm:*:*:parameter/*"
            ]
        }
    ]
}




This policy Allows:

  • EC2 Provisioning, control and manage instances with TAG “1P”. Our agent doesn’t use a Keypair.
  • RDS, Elasticache, EC2, IAM, Cloudwatch and S3 in list and get requests types
  • EKS Full Access (Optionally)