Monday, June 18, 2012

How to create a Read-Only IAM user for Newvem in AWS

To begin playing with the free Newvem beta service for your account in AWS (now only AWS but is planned to cover other like Rackspace, Microsoft Azure and HP Openstack) is highly recommendable to create an specific Read-Only IAM User Account. I'm suggesting this because is the best way to proceed with this service or any other AWS access for your users or for your external user.
Basic rule: Different users for every role and different permissions for every role.
In this case we are creating the user "newvem" and giving it full read access to our AWS set up using the IAM new user creating wizard.

Create user:
aws-iam-newvem-read-only-user

User: newvem
aws-iam-newvem-read-only-user

Download the recently created Security Credentials for this user:
aws-iam-newvem-read-only-user

Choose Read Only Access template for this user:
aws-iam-newvem-read-only-user

Apply:
aws-iam-newvem-read-only-user

Those are the default granted permissions. We now have the option to tune them a bit in the future if needed:

{
  "Statement": [
    {
      "Action": [
        "autoscaling:Describe*",
        "cloudformation:DescribeStacks",
        "cloudformation:DescribeStackEvents",
        "cloudformation:DescribeStackResources",
        "cloudformation:GetTemplate",
        "cloudfront:Get*",
        "cloudfront:List*",
        "cloudwatch:Describe*",
        "cloudwatch:Get*",
        "cloudwatch:List*",
        "dynamodb:GetItem",
        "dynamodb:BatchGetItem",
        "dynamodb:Query",
        "dynamodb:Scan",
        "dynamodb:DescribeTable",
        "dynamodb:ListTables",
        "ec2:Describe*",
        "elasticache:Describe*",
        "elasticbeanstalk:Check*",
        "elasticbeanstalk:Describe*",
        "elasticbeanstalk:List*",
        "elasticbeanstalk:RequestEnvironmentInfo",
        "elasticbeanstalk:RetrieveEnvironmentInfo",          
        "elasticloadbalancing:Describe*",
        "iam:List*",
        "iam:Get*",
        "route53:Get*",
        "route53:List*",
        "rds:Describe*",
        "s3:Get*",
        "s3:List*",
        "sdb:GetAttributes",
        "sdb:List*",
        "sdb:Select*",
        "ses:Get*",
        "ses:List*",
        "sns:Get*",
        "sns:List*",
        "sqs:GetQueueAttributes",
        "sqs:ListQueues",
        "sqs:ReceiveMessage",
        "storagegateway:List*",
        "storagegateway:Describe*"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}