Ops Manager for AWS Policy Document

Page last updated:

Use this policy document to complete Create an IAM User for Ops Manager in Preparing to Deploy Ops Manager on AWS.

The Policy Document Base Code

Note: For the S3 Bucket policy sections, make sure to update the generic bucket naming with your custom/unique bucket names.

From the AWS Management Console, copy and paste the following text in the Policy Document field.

You may want to consider adding more policies to enable additional features. See Add Additional AWS Policies below.


{
  "Version": "2012-10-17",
  "Statement": [
    {
        "Effect": "Deny",
        "Action": [
            "iam:*"
        ],
        "Resource": [
            "*"
        ]
    },
    {
        "Sid": "OpsMgrInfrastructureIaasConfiguration",
        "Effect": "Allow",
        "Action": [
            "ec2:DescribeKeypairs",
            "ec2:DescribeVpcs",
            "ec2:DescribeSecurityGroups",
            "ec2:DescribeAvailabilityZones",
            "ec2:DescribeAccountAttributes"
        ],
        "Resource": "*"
    },
    {
        "Sid": "OpsMgrInfrastructureDirectorConfiguration",
        "Effect": "Allow",
        "Action": [
            "s3:*"
        ],
        "Resource": [
            "arn:aws:s3:::pcf-ops-manager-bucket",
            "arn:aws:s3:::pcf-ops-manager-bucket/*",
            "arn:aws:s3:::pcf-buildpacks-bucket",
            "arn:aws:s3:::pcf-buildpacks-bucket/*",
            "arn:aws:s3:::pcf-packages-bucket",
            "arn:aws:s3:::pcf-packages-bucket/*",
            "arn:aws:s3:::pcf-resources-bucket",
            "arn:aws:s3:::pcf-resources-bucket/*",
            "arn:aws:s3:::pcf-droplets-bucket",
            "arn:aws:s3:::pcf-droplets-bucket/*"
        ]
    },
    {
        "Sid": "OpsMgrInfrastructureAvailabilityZones",
        "Effect": "Allow",
        "Action": [
            "ec2:DescribeAvailabilityZones"
        ],
        "Resource": "*"
    },
    {
        "Sid": "OpsMgrInfrastructureNetworks",
        "Effect": "Allow",
        "Action": [
            "ec2:DescribeSubnets"
        ],
        "Resource": "*"
    },
    {
        "Sid": "DeployMicroBosh",
        "Effect": "Allow",
        "Action": [
            "ec2:DescribeImages",
            "ec2:RunInstances",
            "ec2:DescribeInstances",
            "ec2:TerminateInstances",
            "ec2:RebootInstances",
            "elasticloadbalancing:DescribeLoadBalancers",
            "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
            "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
            "ec2:DescribeAddresses",
            "ec2:DisassociateAddress",
            "ec2:AssociateAddress",
            "ec2:CreateTags",
            "ec2:DescribeVolumes",
            "ec2:CreateVolume",
            "ec2:AttachVolume",
            "ec2:DeleteVolume",
            "ec2:DetachVolume",
            "ec2:CreateSnapshot",
            "ec2:DeleteSnapshot",
            "ec2:DescribeSnapshots",
            "ec2:DescribeRegions"
        ],
        "Resource": "*"
    }
]
}


Add Additional AWS Policies

To perform specific tasks, you may need to add additional policies to your Policy Document field in the AWS Management Console.

Consult the table below to determine what additional policies you may want to include. Then paste the code from the corresponding row. Enter the code in your existing policy after any },.

I need to… So I paste this code.
Use an AWS Instance Profile instead of AWS Keys.
{
  "Sid": "AllowToGetInfoAboutCurrentInstanceProfile",
  "Effect": "Allow",
  "Action": [
    "iam:GetInstanceProfile"
  ],
  "Resource": [
    "IAM-INSTANCE-ARN-PROFILE"
  ]
},
{
  "Sid": "AllowToCreateInstanceWithCurrentInstanceProfile",
  "Effect": "Allow",
  "Action": [
    "iam:PassRole"
  ],
  "Resource": [
    "IAM-OPS-MANAGER-ARN-ROLE"
  ]
},

Where:

  • IAM-INSTANCE-ARN-PROFILE is the IAM instance ARN profile that you configure in AWS.
  • IAM-OPS-MANAGER-ARN-ROLE is the IAM Ops Manager ARN role that you configure in AWS.
Encrypt EBS volumes with AWS Key Management Service (KMS).
{
    "Sid": "RequiredIfUsingHeavyStemcells",
    "Effect": "Allow",
    "Action": [
        "ec2:RegisterImage",
        "ec2:DeregisterImage"
    ],
    "Resource": "*"
},
{
    "Sid": "RequiredIfEncryptingStemcells",
    "Effect": "Allow",
    "Action": [
        "ec2:CopyImage"
    ],
    "Resource": "*"
},
Use a custom KMS encryption key that I created in AWS.
{
    "Sid": "RequiredIfUsingCustomKMSKeys",
    "Effect": "Allow",
    "Action": [
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:CreateGrant",
        "kms:DescribeKey*"
    ],
    "Resource": [
        "((kms_key_arn))"
    ]
},
Use the load balancer target group.
{
    "Sid": "RequiredIfUsingLBTargetGroupCloudProperties",
    "Effect": "Allow",
    "Action": [
        "elasticloadbalancing:DescribeLoadBalancers",
        "elasticloadbalancing:DescribeTargetGroups",
        "elasticloadbalancing:DescribeTargetHealth",
        "elasticloadbalancing:RegisterTargets"
    ],
    "Resource": "*"
},
Use the AWS Spot instance advisor.
{
    "Sid": "RequiredIfUsingSpotBidPriceCloudProperties",
    "Effect": "Allow",
    "Action": [
        "ec2:CancelSpotInstanceRequests",
        "ec2:DescribeSpotInstanceRequests",
        "ec2:RequestSpotInstances"
    ],
    "Resource": "*"
},
Create and replace AWS routes.
{
    "Sid": "RequiredIfUsingAdvertisedRoutesCloudProperties",
    "Effect": "Allow",
    "Action": [
        "ec2:CreateRoute",
        "ec2:DescribeRouteTables",
        "ec2:ReplaceRoute"
    ],
    "Resource": "*"
},

For more information about AWS policies, see Example Policies in the AWS documentation.