AWS permission requirements

API access to Amazon Web Services (AWS) is granted using two key credentials: an Access Key ID and a Secret Access Key. These credentials are created for a user by an AWS Identity and Access Management (IAM) administrator.

BEST PRACTICE  Because these credentials are granted by an AWS IAM administrator, you should create a dedicated user account in Trust Protection Platform for this purpose.

For more information, visit the following URL:

http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html

The operations performed by Amazon Certificate Manager and Amazon Web Services drivers depend on a set of permissions found in your AWS policy. The following AWS policy represents the least privilege access required to support the full feature set of the VenafiAWS driver.

{

 

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Action": [

"iam:DeleteServerCertificate",

"iam:UploadServerCertificate",

"iam:ListServerCertificates",

"iam:GetServerCertificate",

"acm:RequestCertificate",

"acm:GetCertificate",

"acm:DeleteCertificate",

"acm:ImportCertificate",

"acm:ListCertificates",

"elasticloadbalancing:DescribeLoadBalancers",

"elasticloadbalancing:DescribeListeners",

"elasticloadbalancing:DescribeTargetGroups",

"elasticloadbalancing:CreateListener",

"elasticloadbalancing:CreateLoadBalancerListeners",

"elasticloadbalancing:ModifyListener",

"elasticloadbalancing:SetLoadBalancerListenerSSLCertificate",

"cloudfront:GetDistribution",

"cloudfront:GetDistributionConfig",

"cloudfront:UpdateDistribution",

"cloudfront:ListDistributions"

"ec2:DescribeInstances",

],

 

"Resource": "*"

}

]

}

You can remove specific features that you don't plan to use by simply omitting lines from the policy. For example, if you know that you will not be using ACM, delete any actions that start with "acm:".

For more information about ELB permissions, visit the following Amazon URL:

http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_examples.html#d0e40339

Related Topics Link IconRelated Topics