Guidelines for Creating User Roles on AWS
Pivotal recommends that you minimize the use of master account credentials by creating an IAM role and instance profile with the minimum required EC2, VPC, and EBS credentials.
In addition, Pivotal recommends that you follow AWS account security best practices such as disabling root keys, using multi-factor authentication on the root account, and using CloudTrail for auditing API actions.
For more Amazon-specific best practices, refer to the following Amazon documentation:
Users Created by the CloudFormation Template
See the table below for more information about the two CloudFormation templates.
Note: If you choose not to use the CloudFormation templates, Pivotal recommends that you use the permissions determined by the
PcfIamPolicy section of the Ops Manager CloudFormation template to create users with appropriate permissions. Additionally, follow AWS account security best practices such as disabling root keys, multi-factor authentication on the root account, and CloudTrail for auditing API actions.
|Template Source||Location||User(s) Created||User Purpose||Uses IAM Role||Additional Documentation|
|Elastic Runtime||Pivotal Network Elastic Runtime Download||ERT S3 user||Blob storage||No||Deploying Elastic Runtime on AWS||Ops Manager||Referenced in the ERT template||Ops Manager VM and Ops Manager Director||EC2, VPC, EBS, S3, ELB||Yes||Director User Config|