Lab #52 Note: Example AWS IAM roles for RO & RW

Version 3

    In SolarWinds Lab #52, I mentioned you can connect SAM to Amazon AWS for monitoring without the need to connect as administrator, and follow best practices for security.  In the AWS IAM control panel https://aws.amazon.com/console/, create a user and keys, with the following policies:

     

    1. For read-only, use this policy.

     

    {
     "Version": "2012-10-17",
     "Statement": [{   
     "Effect": "Allow",
     "Action": [
     "ec2:DescribeInstances",
     "ec2:DescribeAddresses",
     "ec2:DescribeVolumes", 
     "ec2:DescribeVolumeStatus",
     "cloudwatch:GetMetricStatistics",
     "autoscaling:DescribeAutoScalingGroups",
     "autoscaling:DescribeAutoScalingInstances"
    ],
     "Resource": "*"
        }
      ]
    }
    

    2. For read and allow stop and terminate in the Orion UI, use this:

     

    {
     "Version": "2012-10-17",
     "Statement": [{   
     "Effect": "Allow",
     "Action": [
     "ec2:DescribeInstances",
     "ec2:DescribeAddresses",
     "ec2:DescribeVolumes", 
     "ec2:DescribeVolumeStatus",
     "cloudwatch:GetMetricStatistics",
     "autoscaling:DescribeAutoScalingGroups",
     "autoscaling:DescribeAutoScalingInstances",
     "ec2:StopInstances", 
     "ec2:StartInstances",
     "ec2:RebootInstances", 
     "ec2:TerminateInstances"
     ],
     "Resource": "*"
        }
      ]
    }
    

    All you need to do then is use your new monitoring IAM profile's key and secret in the SAM AWS monitoring settings and you'll be all set.  Easy, no?