Preparing AWS
This page explains how to set up an AWS account so that ACTIVATE can manage your AWS infrastructure, clusters, billing, storage, and usage data.
The steps included on this page should be completed by a cloud engineer in your organization.
AWS Account
We recommend creating a new AWS account for the ACTIVATE platform, which will allow you to keep your existing AWS account separate from the platform and make it easier to manage billing and usage data. This will also ensure the principle of least privilege, as ACTIVATE will only have access to the resources it needs to manage.
If you use AWS Organizations, you can create a new account within your organization. Otherwise, you can make a non-organization account.
Setting Up AWS Credentials
To get started quickly, you can create a new IAM User and assign the AdministratorAccess AWS-managed policy to it.
Alternatively, you can create the policies listed in AWS Policies below, then attach those policies to the IAM user.
Create an Access Key
ACTIVATE requires the use of an AWS access key to authenticate with AWS. If you don't have an access key, you can create one.
The ACTIVATE platform will immediately rotate the secret access key after it's entered into the system. The platform will then use the rotated secret access key to generate short-term credentials, which will be used by all ACTIVATE services.
For more information about AWS keys and security best practices, see this FAQ on the AWS website.
AWS Policies
This section includes the policies you’ll need to attach to the IAM user you create for ACTIVATE. You can create these policies in the IAM console, or you can create them in the AWS CLI by entering the JSON files listed under each policy.
pw-ec2-mgmt
This policy allows ACTIVATE to manage EC2 resources.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "pwec2mgmt",
"Effect": "Allow",
"Action": [
"ec2:AllocateAddress",
"ec2:AssociateAddress",
"ec2:AssociateDhcpOptions",
"ec2:AssociateRouteTable",
"ec2:AttachInternetGateway",
"ec2:AttachVolume",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateDhcpOptions",
"ec2:CreateImage",
"ec2:CreateInternetGateway",
"ec2:CreateKeyPair",
"ec2:CreateNatGateway",
"ec2:CreateNetworkInterface",
"ec2:CreatePlacementGroup",
"ec2:CreateRoute",
"ec2:CreateRouteTable",
"ec2:CreateSecurityGroup",
"ec2:CreateSnapshot",
"ec2:CreateSubnet",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:CreateVpc",
"ec2:DeleteDhcpOptions",
"ec2:DeleteInternetGateway",
"ec2:DeleteKeyPair",
"ec2:DeleteNatGateway",
"ec2:DeletePlacementGroup",
"ec2:DeleteRoute",
"ec2:DeleteRouteTable",
"ec2:DeleteSecurityGroup",
"ec2:DeleteSnapshot",
"ec2:DeleteSubnet",
"ec2:DeleteVolume",
"ec2:DeleteVpc",
"ec2:DeregisterImage",
"ec2:DescribeAccountAttributes",
"ec2:DescribeAddresses",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeDhcpOptions",
"ec2:DescribeImages",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeInstanceTypes",
"ec2:DescribeInstances",
"ec2:DescribeInternetGateways",
"ec2:DescribeKeyPairs",
"ec2:DescribeNatGateways",
"ec2:DescribeNetworkAcls",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribePlacementGroups",
"ec2:DescribeRegions",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSnapshots",
"ec2:DescribeSubnets",
"ec2:DescribeTags",
"ec2:DescribeVolumes",
"ec2:DescribeVpcAttribute",
"ec2:DescribeVpcClassicLink",
"ec2:DescribeVpcClassicLinkDnsSupport",
"ec2:DescribeVpcs",
"ec2:DetachInternetGateway",
"ec2:DetachVolume",
"ec2:DetachVolume",
"ec2:DisassociateAddress",
"ec2:DisassociateRouteTable",
"ec2:GetPasswordData",
"ec2:DetachVolume",
"ec2:DisassociateRouteTable",
"ec2:GetPasswordData",
"ec2:ImportKeyPair",
"ec2:ImportKeyPair",
"ec2:ModifyImageAttribute",
"ec2:ImportKeyPair",
"ec2:ModifyImageAttribute",
"ec2:ModifyInstanceAttribute",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:ModifySubnetAttribute",
"ec2:ModifyVpcAttribute",
"ec2:ReleaseAddress",
"ec2:RevokeSecurityGroupEgress",
"ec2:RunInstances",
"ec2:StopInstances",
"ec2:TerminateInstances"
],
"Resource": "*"
}
]
}
pw-fsx-mgmt
This policy allows ACTIVATE to manage FSx resources.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "pwfsxmgmt",
"Effect": "Allow",
"Action": [
"fsx:CreateFilesystem",
"fsx:DeleteFilesystem",
"fsx:DescribeFilesystems",
"fsx:ListTagsForResource",
"fsx:TagResource",
"fsx:UntagResource",
"iam:CreateServiceLinkedRole",
"iam:PutRolePolicy"
],
"Resource": "*"
}
]
}
iam:CreateServiceLinkedRole and iam:PutRolePolicy are required for using S3 import/export with FSx.
If S3 import/export is not needed, these permissions can be removed.
pw-route53-mgmt
This policy allows ACTIVATE to manage Route 53 resources.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "pwroute53mgmt",
"Effect": "Allow",
"Action": [
"route53:ChangeResourceRecordSets",
"route53:ChangeTagsForResource",
"route53:CreateHostedZone",
"route53:DeleteHostedZone",
"route53:GetChange",
"route53:GetDNSSEC",
"route53:GetHostedZone",
"route53:ListHostedZones",
"route53:ListResourceRecordSets",
"route53:ListTagsForResource"
],
"Resource": "*"
}
]
}
pw-sts-mgmt
This policy allows ACTIVATE to create federated users used for short term tokens.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "pwstsmgmt",
"Effect": "Allow",
"Action": ["sts:GetCallerIdentity", "sts:GetFederationToken"],
"Resource": "*"
}
]
}
pw-tgw-mgmt
If you're using a Transit Gateway account, these additional permissions are necessary to attach created VPCs to the Transit Gateway.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "pwfsxmgmt",
"Effect": "Allow",
"Action": [
"ec2:CreateTransitGatewayVpcAttachment",
"ec2:DescribeTransitGatewayVpcAttachments",
"ec2:DescribeTransitGateways",
"ec2:DeleteTransitGatewayVpcAttachment"
],
"Resource": "*"
}
]
}
pw-buckets
This policy allows ACTIVATE to access billing information and Create and Mange S3 Buckets.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetLifecycleConfiguration",
"s3:GetBucketTagging",
"s3:PutAccelerateConfiguration",
"s3:DeleteObjectVersion",
"s3:ListBucketVersions",
"s3:GetBucketLogging",
"s3:CreateBucket",
"s3:ListBucket",
"s3:GetAccelerateConfiguration",
"s3:GetBucketPolicy",
"s3:PutEncryptionConfiguration",
"s3:GetObjectAcl",
"s3:GetEncryptionConfiguration",
"s3:GetBucketObjectLockConfiguration",
"s3:PutBucketTagging",
"s3:GetBucketRequestPayment",
"s3:PutLifecycleConfiguration",
"s3:PutBucketAcl",
"cur:*",
"s3:DeleteObject",
"s3:DeleteBucket",
"s3:PutBucketVersioning",
"s3:PutObjectAcl",
"s3:GetBucketPolicyStatus",
"s3:GetBucketWebsite",
"s3:PutReplicationConfiguration",
"s3:GetBucketVersioning",
"s3:PutBucketCORS",
"s3:GetBucketAcl",
"s3:DeleteBucketPolicy",
"s3:GetReplicationConfiguration",
"s3:PutObject",
"s3:GetObject",
"s3:PutBucketWebsite",
"s3:ListAllMyBuckets",
"s3:PutBucketRequestPayment",
"s3:PutBucketLogging",
"s3:GetBucketCORS",
"s3:PutBucketPolicy",
"s3:PutBucketObjectLockConfiguration",
"s3:GetBucketLocation",
"s3:GetObjectVersion",
"s3:PutBucketVersioning"
"s3:DeleteObjectVersion",
"s3:GetObjectVersion",
"s3:ListBucketVersions"
],
"Resource": "*"
}
]
}
pw-storage
This policy allows ACTIVATE to create and manage EFS storages.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "pwstoragemgmt",
"Effect": "Allow",
"Action": [
"elasticfilesystem:CreateFileSystem",
"elasticfilesystem:CreateMountTarget",
"elasticfilesystem:DeleteFileSystem",
"elasticfilesystem:DeleteMountTarget",
"elasticfilesystem:DescribeFileSystems",
"elasticfilesystem:DescribeLifecycleConfiguration",
"elasticfilesystem:DescribeMountTargetSecurityGroups",
"elasticfilesystem:DescribeMountTargets",
"elasticfilesystem:TagResource"
],
"Resource": "*"
}
]
}