Update documentation to include minimum required IAM policy (#461)

* Updating documentation to include minimum required IAM polcy. Closes * Slightly more concise
2025-04-26 19:14:01 +02:00 · 2017-04-20 18:15:31 -04:00 · 2017-04-20 18:15:31 -04:00 · 22e145c241
commit 22e145c241
parent 76cdc69548
2 changed files with 65 additions and 2 deletions
--- a/3
+++ b/3
@ -232,14 +232,13 @@ EXTRA_VARS="do_access_token=$do_access_token do_server_name=$do_server_name do_r
 ec2 () {
  read -p "
 Enter your aws_access_key (http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html)
-Note: Make sure to use either your root key (recommended) or an IAM user with an acceptable policy attached
+Note: Make sure to use an IAM user with an acceptable policy attached (see https://github.com/trailofbits/algo/blob/master/docs/deploy-with-ansible.md).
 $ADDITIONAL_PROMPT
 [AKIA...]: " -rs aws_access_key

  read -p "

 Enter your aws_secret_key (http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html)
-Note: Make sure to use either your root key (recommended) or an IAM user with an acceptable policy attached
 $ADDITIONAL_PROMPT
 [ABCD...]: " -rs aws_secret_key

--- a/docs/deploy-with-ansible.md
+++ b/docs/deploy-with-ansible.md
@ -103,6 +103,70 @@ Additional tags:

 - [encrypted](https://aws.amazon.com/blogs/aws/new-encrypted-ebs-boot-volumes/) (enabled by default)

+#### Minimum required IAM permissions for deployment:
+
+```
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "PreDeployment",
+            "Effect": "Allow",
+            "Action": [
+                "ec2:DescribeImages",
+                "ec2:DescribeKeyPairs",
+                "ec2:ImportKeyPair"
+            ],
+            "Resource": [
+                "*"
+            ]
+        },
+        {
+            "Sid": "DeployCloudFormationStack",
+            "Effect": "Allow",
+            "Action": [
+                "cloudformation:CreateStack",
+                "cloudformation:DescribeStacks",
+                "cloudformation:CreateStacks",
+                "cloudformation:DescribeStackEvents",
+                "cloudformation:ListStackResources"
+            ],
+            "Resource": [
+                "*"
+            ]
+        },
+        {
+            "Sid": "CloudFormationEC2Access",
+            "Effect": "Allow",
+            "Action": [
+                "ec2:CreateInternetGateway",
+                "ec2:DescribeVpcs",
+                "ec2:CreateVpc",
+                "ec2:DescribeInternetGateways",
+                "ec2:ModifyVpcAttribute",
+                "ec2:createTags",
+                "ec2:CreateSubnet",
+                "ec2:Associate*",
+                "ec2:CreateRouteTable",
+                "ec2:AttachInternetGateway",
+                "ec2:DescribeRouteTables",
+                "ec2:DescribeSubnets",
+                "ec2:ModifySubnetAttribute",
+                "ec2:CreateRoute",
+                "ec2:CreateSecurityGroup",
+                "ec2:DescribeSecurityGroups",
+                "ec2:AuthorizeSecurityGroupIngress",
+                "ec2:RunInstances",
+                "ec2:DescribeInstances"
+            ],
+            "Resource": [
+                "*"
+            ]
+        }
+    ]
+}
+```
+
 ### Google Compute Engine

 Required variables: