Skip to main content

Preparing AWS

This page explains how to set up an AWS account so it's ready for the PW platform to manage infrastructure, clusters, billing, storage, and usage data.

Persona

The steps included on this page should be completed by a cloud engineer in your organization.

AWS Account

We recommend creating a new AWS account for the PW platform, which will allow you to keep your existing AWS account separate from the platform and make it easier to manage billing and usage data. This will also ensure the principle of least privilege, as the PW platform will only have access to the resources it needs to manage.

If you use AWS Organizations, you can create a new account within your organization. Otherwise, you can make a non-organization account.

Setting Up AWS Credentials

To get started quickly, you can create a new IAM User and assign the AdministratorAccess AWS-managed policy to it.

Alternatively, you can create the policies listed in AWS Policies below, then attach those policies to the IAM user.

Create an Access Key

The PW platform requires the use of an AWS access key to authenticate with AWS. If you don't have an access key, you can create one.

Security Best Practices

The PW platform will immediately rotate the secret access key after it's entered into the system. The platform will then use the rotated secret access key to generate short-term credentials, which will be used by all PW platform services.

For more information about AWS keys and security best practices, see this FAQ on the AWS website.

AWS Policies

This section includes the policies you’ll need to attach to the IAM user you create for the PW platform. You can create these policies in the IAM console, or you can create them in the AWS CLI by entering the JSON files listed under each policy.

pw-ec2-mgmt

This policy allows PW to manage EC2 resources.

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "pwec2mgmt",
"Effect": "Allow",
"Action": [
"ec2:AllocateAddress",
"ec2:AssociateDhcpOptions",
"ec2:AssociateRouteTable",
"ec2:AttachInternetGateway",
"ec2:AttachVolume",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateDhcpOptions",
"ec2:CreateImage",
"ec2:CreateInternetGateway",
"ec2:CreateKeyPair",
"ec2:CreateNatGateway",
"ec2:CreateNetworkInterface",
"ec2:CreatePlacementGroup",
"ec2:CreateRoute",
"ec2:CreateRouteTable",
"ec2:CreateSecurityGroup",
"ec2:CreateSnapshot",
"ec2:CreateSubnet",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:CreateVpc",
"ec2:DeleteDhcpOptions",
"ec2:DeleteInternetGateway",
"ec2:DeleteKeyPair",
"ec2:DeleteNatGateway",
"ec2:DeletePlacementGroup",
"ec2:DeleteRoute",
"ec2:DeleteRouteTable",
"ec2:DeleteSecurityGroup",
"ec2:DeleteSnapshot",
"ec2:DeleteSubnet",
"ec2:DeleteVolume",
"ec2:DeleteVpc",
"ec2:DeregisterImage",
"ec2:DescribeAccountAttributes",
"ec2:DescribeAddresses",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeDhcpOptions",
"ec2:DescribeImages",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeInstanceTypes",
"ec2:DescribeInstances",
"ec2:DescribeInternetGateways",
"ec2:DescribeKeyPairs",
"ec2:DescribeNatGateways",
"ec2:DescribeNetworkAcls",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribePlacementGroups",
"ec2:DescribeRegions",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSnapshots",
"ec2:DescribeSubnets",
"ec2:DescribeTags",
"ec2:DescribeVolumes",
"ec2:DescribeVpcAttribute",
"ec2:DescribeVpcClassicLink",
"ec2:DescribeVpcClassicLinkDnsSupport",
"ec2:DescribeVpcs",
"ec2:DetachInternetGateway",
"ec2:DetachVolume",
"ec2:DetachVolume",
"ec2:DisassociateAddress",
"ec2:DisassociateRouteTable",
"ec2:GetPasswordData",
"ec2:DetachVolume",
"ec2:DisassociateAddress",
"ec2:DisassociateRouteTable",
"ec2:GetPasswordData",
"ec2:ImportKeyPair",
"ec2:ImportKeyPair",
"ec2:ModifyImageAttribute",
"ec2:ImportKeyPair",
"ec2:ModifyImageAttribute",
"ec2:ModifyInstanceAttribute",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:ModifySubnetAttribute",
"ec2:ModifyVpcAttribute",
"ec2:ReleaseAddress",
"ec2:RevokeSecurityGroupEgress",
"ec2:RunInstances",
"ec2:StopInstances",
"ec2:TerminateInstances"
],
"Resource": "*"
}
]
}

pw-fsx-mgmt

This policy allows PW to manage FSx resources.

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "pwfsxmgmt",
"Effect": "Allow",
"Action": [
"fsx:CreateFilesystem",
"fsx:DeleteFilesystem",
"fsx:DescribeFilesystems",
"fsx:ListTagsForResource",
"fsx:TagResource",
"fsx:UntagResource",
"iam:CreateServiceLinkedRole",
"iam:PutRolePolicy"
],
"Resource": "*"
}
]
}
Note

iam:CreateServiceLinkedRole and iam:PutRolePolicy are required for using S3 import/export with FSx. If S3 import/export is not needed, these permissions can be removed.

pw-route53-mgmt

This policy allows PW to manage Route 53 resources.

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "pwroute53mgmt",
"Effect": "Allow",
"Action": [
"route53:ChangeResourceRecordSets",
"route53:ChangeTagsForResource",
"route53:CreateHostedZone",
"route53:DeleteHostedZone",
"route53:GetChange",
"route53:GetDNSSEC",
"route53:GetHostedZone",
"route53:ListHostedZones",
"route53:ListResourceRecordSets",
"route53:ListTagsForResource"
],
"Resource": "*"
}
]
}

pw-sts-mgmt

This policy allows PW to create federated users used for short term tokens.

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "pwstsmgmt",
"Effect": "Allow",
"Action": [
"sts:GetCallerIdentity",
"sts:GetFederationToken"
],
"Resource": "*"
}
]
}

pw-tgw-mgmt

If you're using a Transit Gateway account, these additional permissions are necessary to attach created VPCs to the Transit Gateway.

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "pwfsxmgmt",
"Effect": "Allow",
"Action": [
"ec2:CreateTransitGatewayVpcAttachment",
"ec2:DescribeTransitGatewayVpcAttachments",
"ec2:DescribeTransitGateways",
"ec2:DeleteTransitGatewayVpcAttachment"
],
"Resource": "*"
}
]
}

pw-buckets

This policy allows PW to access billing information and Create and Mange S3 Buckets.

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetLifecycleConfiguration",
"s3:GetBucketTagging",
"s3:PutAccelerateConfiguration",
"s3:DeleteObjectVersion",
"s3:ListBucketVersions",
"s3:GetBucketLogging",
"s3:CreateBucket",
"s3:ListBucket",
"s3:GetAccelerateConfiguration",
"s3:GetBucketPolicy",
"s3:PutEncryptionConfiguration",
"s3:GetObjectAcl",
"s3:GetEncryptionConfiguration",
"s3:GetBucketObjectLockConfiguration",
"s3:PutBucketTagging",
"s3:GetBucketRequestPayment",
"s3:PutLifecycleConfiguration",
"s3:PutBucketAcl",
"cur:*",
"s3:DeleteObject",
"s3:DeleteBucket",
"s3:PutBucketVersioning",
"s3:PutObjectAcl",
"s3:GetBucketPolicyStatus",
"s3:GetBucketWebsite",
"s3:PutReplicationConfiguration",
"s3:GetBucketVersioning",
"s3:PutBucketCORS",
"s3:GetBucketAcl",
"s3:DeleteBucketPolicy",
"s3:GetReplicationConfiguration",
"s3:PutObject",
"s3:GetObject",
"s3:PutBucketWebsite",
"s3:ListAllMyBuckets",
"s3:PutBucketRequestPayment",
"s3:PutBucketLogging",
"s3:GetBucketCORS",
"s3:PutBucketPolicy",
"s3:PutBucketObjectLockConfiguration",
"s3:GetBucketLocation",
"s3:GetObjectVersion"
],
"Resource": "*"
}
]
}

pw-storage

This policy allows PW to create and manage EFS storages.

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "pwstoragemgmt",
"Effect": "Allow",
"Action": [
"elasticfilesystem:CreateFileSystem",
"elasticfilesystem:CreateMountTarget",
"elasticfilesystem:DeleteFileSystem",
"elasticfilesystem:DeleteMountTarget",
"elasticfilesystem:DescribeFileSystems",
"elasticfilesystem:DescribeLifecycleConfiguration",
"elasticfilesystem:DescribeMountTargetSecurityGroups",
"elasticfilesystem:DescribeMountTargets",
"elasticfilesystem:TagResource"
],
"Resource": "*"
}
]
}