.png)
Minimal IAM Permissions for KIB
Configure IAM Prerequisites before building an AWS Image
This section guides you in creating and using a minimally-scoped policy to create an Image for an AWS account using Konvoy Image Builder.
Prerequisites
Before applying the IAM Policies, verify the following:
You have a valid AWS account with credentials configured that can manage CloudFormation Stacks, IAM Policies, IAM Roles, and IAM Instance Profiles.
The AWS CLI utility is installed.
Minimal Permissions
The following is an AWSCloudformation stack that creates the minimal policy to run KIB in AWS.
Copy the following contents into a file:
AWSTemplateFormatVersion: 2010-09-09
Resources:
AWSIAMInstanceKIBUser:
Properties:
InstanceProfileName: KIBUserInstnaceProfile
Roles:
- Ref: KIBUserRole
Type: AWS::IAM::InstanceProfile
AWSIAMManagedPolicyKIBPolicy:
Properties:
Description: Minimal policy to run KIB in AWS
ManagedPolicyName: kib-policy
PolicyDocument:
Statement:
- Action:
- ec2:AssociateRouteTable
- ec2:AssociateRouteTable
- ec2:AttachInternetGateway
- ec2:AttachVolume
- ec2:AuthorizeSecurityGroupIngress
- ec2:CreateImage
- ec2:CreateInternetGateway
- ec2:CreateKeyPair
- ec2:CreateRoute
- ec2:CreateRouteTable
- ec2:CreateSecurityGroup
- ec2:CreateSubnet
- ec2:CreateTags
- ec2:CreateVolume
- ec2:CreateVpc
- ec2:DeleteInternetGateway
- ec2:DeleteKeyPair
- ec2:DeleteRouteTable
- ec2:DeleteSecurityGroup
- ec2:DeleteSnapshot
- ec2:DeleteSubnet
- ec2:DeleteVolume
- ec2:DeleteVpc
- ec2:DeregisterImage
- ec2:DescribeAccountAttributes
- ec2:DescribeImages
- ec2:DescribeInstances
- ec2:DescribeInternetGateways
- ec2:DescribeKeyPairs
- ec2:DescribeNetworkAcls
- ec2:DescribeNetworkInterfaces
- ec2:DescribeRegions
- ec2:DescribeRouteTables
- ec2:DescribeSecurityGroups
- ec2:DescribeSubnets
- ec2:DescribeVolume
- ec2:DescribeVpcAttribute
- ec2:DescribeVpcClassicLink
- ec2:DescribeVpcClassicLinkDnsSupport
- ec2:DescribeVpcs
- ec2:DetachInternetGateway
- ec2:DetachVolume
- ec2:DisassociateRouteTable
- ec2:ModifyImageAttribute
- ec2:ModifySnapshotAttribute
- ec2:ModifySubnetAttribute
- ec2:ModifyVpcAttribute
- ec2:RegisterImage
- ec2:RevokeSecurityGroupEgress
- ec2:RunInstances
- ec2:StopInstances
- ec2:TerminateInstances
Effect: Allow
Resource:
- '*'
Version: 2012-10-17
Roles:
- Ref: KIBUserRole
Type: AWS::IAM::ManagedPolicy
Version: 2012-10-17
KIBUserRole:
Properties:
AssumeRolePolicyDocument:
Statement:
- Action:
- sts:AssumeRole
Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
- Action:
- sts:AssumeRole
Effect: Allow
Principal:
AWS: arn:aws:iam::MYAWSACCOUNTID:root
Version: 2012-10-17
RoleName: kib-user-role
Type: AWS::IAM::Role2. Replace the following with the correct values:
MYFILENAME.yaml- give your file a meaningful name.MYSTACKNAME- give your cloudformation stack a meaningful name.
3. Run the following command to create the stack:
aws cloudformation create-stack --template-body=file://MYFILENAME.yaml --stack-name=MYSTACKNAME --capabilities CAPABILITY_NAMED_IAM