To grant access to an AWS service or resource, you must attach an IAM role to the service or resource. The policies that you assign to an IAM role are described below.
See
For more information about policies and IAM roles, see the official AWS documentation.
Attach an IAM role to the instance (EC2) to install the following on the instance of the cluster node.
CloudWatch Agents required for operation of resource monitor
Amazon EFS Client (amazon-efs-utils)
When you create an IAM role, add the following policy.
CloudWatchAgentServerPolicy
Note
If an instance on a cluster node does not have an IAM role attached, the instance fails to mount EFS, and the resource monitoring mechanism fails to collect metrics and logs from the instance.
Attach an IAM role to AWS Lambda running switcher. When you create the IAM role, add the following policy.
AWSLambdaBasicExecutionRole
New Policy to Create
The policy defines the scope to which access is allowed so that Lambda function of the switcher can work with AWS resources. Create a new policy based on JSON. There are strings in JSON that need to be rewritten. The string is shown below.
String | Value to be rewritten | Description |
|---|---|---|
${Region} | AWS Region If you do not specify a region, replace ${Region} with "*". | Specify the AWS region that you want to allow access to. If you specify a region, you must provide policies and IAM roles for each region. If you do not specify a region, you can use both policies and IAM roles. |
${Account} | AWS Account | Specify the AWS account that you want to grant access to. |
The JSON is shown below.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ec2:CreateTags",
"Resource": [
"arn:aws:ec2:${Region}:${Account}:volume/*",
"arn:aws:ec2:${Region}:${Account}:instance/*",
"arn:aws:ec2:${Region}:${Account}:network-interface/*"
],
"Condition": {
"StringEquals": {
"ec2:CreateAction": "RunInstances"
}
}
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"cloudwatch:PutMetricAlarm",
"cloudwatch:DescribeAlarms",
"ec2:TerminateInstances",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:RunInstances",
"elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:DeregisterTargets",
"dynamodb:ConditionCheckItem",
"dynamodb:PutItem",
"dynamodb:DeleteItem",
"dynamodb:GetItem",
"dynamodb:UpdateItem"
],
"Resource": [
"arn:aws:cloudwatch:${Region}:${Account}:alarm:*",
"arn:aws:ec2:${Region}:${Account}:volume/*",
"arn:aws:ec2:${Region}:${Account}:subnet/*",
"arn:aws:ec2:${Region}:${Account}:security-group/*",
"arn:aws:ec2:${Region}:${Account}:instance/*",
"arn:aws:ec2:${Region}:${Account}:network-interface/*",
"arn:aws:ec2:${Region}:${Account}:key-pair/*",
"arn:aws:ec2:*::image/*",
"arn:aws:elasticloadbalancing:${Region}:${Account}:targetgroup/*/*",
"arn:aws:dynamodb:${Region}:${Account}:table/*"
]
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": [
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"elasticloadbalancing:DescribeTargetHealth",
"elasticloadbalancing:DescribeTargetGroups"
],
"Resource": "*"
},
{
"Sid": "VisualEditor3",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::${Account}:role/*",
"Condition": {
"StringEquals": {
"iam:PassedToService": "ec2.amazonaws.com"
}
}
},
{
"Sid": "VisualEditor4",
"Effect": "Allow",
"Action": [
"elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:DeregisterTargets"
],
"Resource": "arn:aws:elasticloadbalancing:${Region}:${Account}:targetgroup/*/*"
}
]
}