Pivotal Cloud Foundry v1.10

Guidelines for Creating User Roles on AWS

Pivotal recommends using the CloudFormation templates for Pivotal Cloud Foundry to configure AWS deployments to create users with least privilege. Pivotal also recommends minimizing the use of master account credentials by creating an IAM role and instance profile with the minimum required EC2, VPC, and EBS credentials.

Note: If you choose not to use the CloudFormation templates, Pivotal encourages you to use the permissions determined by PcfIamPolicy section of the Ops Manager CloudFormation template to create users with appropriate permissions. Additionally, follow AWS account security best practices such as disabling root keys, multi-factor authentication on the root account, and CloudTrail for auditing API actions.

See the table below for more information about the two CloudFormation templates.

Template Source Location User(s) Created User Purpose Uses IAM Role Additional Documentation
Elastic Runtime Pivotal Network Elastic Runtime Download ERT S3 user Blob storage No Deploying Elastic Runtime on AWS
Ops Manager Referenced in the ERT template Ops Manager VM and Ops Manager Director EC2, VPC, EBS, S3, ELB Yes Director User Config

For more Amazon-specific best practices, refer to the following Amazon documentation:

Create a pull request or raise an issue on the source for this page in GitHub