PCF for AWS Policy Document

Page last updated:

Use this policy document to complete Step 3: Create an IAM User for PCF in Installing PCF on AWS Manually.

The Policy Document Base Code

Note: For the S3 Bucket policy sections, make sure to update the generic bucket naming with your custom/unique bucket names.

From the AWS Management Console, copy and paste the following text in the Policy Document field.

You may want to consider adding more policies to enable additional features. See Add Additional AWS Policies below.


{
  "Version": "2012-10-17",
  "Statement": [
    {
        "Effect": "Deny",
        "Action": [
            "iam:*"
        ],
        "Resource": [
            "*"
        ]
    },
    {
        "Sid": "OpsMgrInfrastructureIaasConfiguration",
        "Effect": "Allow",
        "Action": [
            "ec2:DescribeKeypairs",
            "ec2:DescribeVpcs",
            "ec2:DescribeSecurityGroups",
            "ec2:DescribeAvailabilityZones",
            "ec2:DescribeAccountAttributes"
        ],
        "Resource": "*"
    },
    {
        "Sid": "OpsMgrInfrastructureDirectorConfiguration",
        "Effect": "Allow",
        "Action": [
            "s3:*"
        ],
        "Resource": [
            "arn:aws:s3:::pcf-ops-manager-bucket",
            "arn:aws:s3:::pcf-ops-manager-bucket/*",
            "arn:aws:s3:::pcf-buildpacks-bucket",
            "arn:aws:s3:::pcf-buildpacks-bucket/*",
            "arn:aws:s3:::pcf-packages-bucket",
            "arn:aws:s3:::pcf-packages-bucket/*",
            "arn:aws:s3:::pcf-resources-bucket",
            "arn:aws:s3:::pcf-resources-bucket/*",
            "arn:aws:s3:::pcf-droplets-bucket",
            "arn:aws:s3:::pcf-droplets-bucket/*"
        ]
    },
    {
        "Sid": "OpsMgrInfrastructureAvailabilityZones",
        "Effect": "Allow",
        "Action": [
            "ec2:DescribeAvailabilityZones"
        ],
        "Resource": "*"
    },
    {
        "Sid": "OpsMgrInfrastructureNetworks",
        "Effect": "Allow",
        "Action": [
            "ec2:DescribeSubnets"
        ],
        "Resource": "*"
    },
    {
        "Sid": "DeployMicroBosh",
        "Effect": "Allow",
        "Action": [
            "ec2:DescribeImages",
            "ec2:RunInstances",
            "ec2:DescribeInstances",
            "ec2:TerminateInstances",
            "ec2:RebootInstances",
            "elasticloadbalancing:DescribeLoadBalancers",
            "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
            "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
            "ec2:DescribeAddresses",
            "ec2:DisassociateAddress",
            "ec2:AssociateAddress",
            "ec2:CreateTags",
            "ec2:DescribeVolumes",
            "ec2:CreateVolume",
            "ec2:AttachVolume",
            "ec2:DeleteVolume",
            "ec2:DetachVolume",
            "ec2:CreateSnapshot",
            "ec2:DeleteSnapshot",
            "ec2:DescribeSnapshots",
            "ec2:DescribeRegions"
        ],
        "Resource": "*"
    }
]
}


Add Additional AWS Policies

To perform specific tasks, you may need to add additional policies to your Policy Document field in the AWS Management Console.

Consult the table below to determine what additional policies you may want to include. Then paste the code from the corresponding row. Enter the code in your existing policy after any },.

I need to… So I paste this code.
Encrypt EBS volumes with AWS Key Management Service (KMS).
{
    "Sid": "RequiredIfUsingHeavyStemcells",
    "Effect": "Allow",
    "Action": [
        "ec2:RegisterImage",
        "ec2:DeregisterImage"
    ],
    "Resource": "*"
},
{
    "Sid": "RequiredIfEncryptingStemcells",
    "Effect": "Allow",
    "Action": [
        "ec2:CopyImage"
    ],
    "Resource": "*"
},
Use a custom KMS encryption key that I created in AWS.
{
    "Sid": "RequiredIfUsingCustomKMSKeys",
    "Effect": "Allow",
    "Action": [
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:CreateGrant",
        "kms:DescribeKey*"
    ],
    "Resource": [
        "((kms_key_arn))"
    ]
},
Use the load balancer target group.
{
    "Sid": "RequiredIfUsingLBTargetGroupCloudProperties",
    "Effect": "Allow",
    "Action": [
        "elasticloadbalancing:DescribeLoadBalancers",
        "elasticloadbalancing:DescribeTargetGroups",
        "elasticloadbalancing:DescribeTargetHealth",
        "elasticloadbalancing:RegisterTargets"
    ],
    "Resource": "*"
},
Use the AWS Spot instance advisor.
{
    "Sid": "RequiredIfUsingSpotBidPriceCloudProperties",
    "Effect": "Allow",
    "Action": [
        "ec2:CancelSpotInstanceRequests",
        "ec2:DescribeSpotInstanceRequests",
        "ec2:RequestSpotInstances"
    ],
    "Resource": "*"
},
Create and replace AWS routes.
{
    "Sid": "RequiredIfUsingAdvertisedRoutesCloudProperties",
    "Effect": "Allow",
    "Action": [
        "ec2:CreateRoute",
        "ec2:DescribeRouteTables",
        "ec2:ReplaceRoute"
    ],
    "Resource": "*"
},

For more information about AWS policies, see Example Policies in the AWS documentation.