...
Login to AWS Management Console.
The virtual machine needs the policies described below assigned to it. One suggested way would be to create a specific role for the VM and assign the created policies to that role. The information below uses the ‘JSON’ view to enable faster policy creation
Info |
---|
If you are creating new policies, prepending them with the same string will allow for easier retrieval when creating the role and selecting the policies assigned to it. |
Allow read of cost and usage data
Navigate to the IAM console and create a new policy with the json described permissions below
Code Block |
---|
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ce:GetCostAndUsage",
"Resource": "*"
}
]
} |
Allow Read of created secret
Find the secret name in the script output and replace {SecretNameHere} with the secret name and {AWS account ID} with your account id
Info |
---|
You will need to update this policy definition with your aws account ID and secret name. |
Code Block |
---|
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "secretsmanager:GetSecretValue",
"Resource": "arn:aws:secretsmanager:*:{AWS Account ID}:secret:{SecretNameHere}*"
}
]
} |
Allow management of DynamoDB and Simple Queue Service
Create the third policy:
Info |
---|
You will need to update this policy definition with your aws account ID. |
Code Block |
---|
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"dynamodb:CreateTable",
"sqs:DeleteMessage",
"sqs:GetQueueUrl",
"dynamodb:UpdateTimeToLive",
"dynamodb:DescribeTable",
"sqs:ReceiveMessage",
"dynamodb:Scan",
"dynamodb:Query",
"sqs:CreateQueue"
],
"Resource": [
"arn:aws:dynamodb::{AWS account ID}:table/bplm*",
"arn:aws:sqs::{AWS account ID}:bplm*"
]
}
]
} |
Allow s3 bucket tag get\set
Code Block |
---|
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:GetBucketTagging",
"s3:PutBucketTagging"
],
"Resource": "arn:aws:s3:::*"
}
]
} |
Allow EC2 tag management
Info |
---|
You will need to update this policy definition with your aws account ID. |
...
Step 4) Assign LHM Monitor IAM Role to VM instance
See Single AWS Account access policies for LHM for regular deployment or Cross AWS Account access policies for BPLM deployment for cross account AWS deployment.
Once the role is created, navigate to the EC2 instance and assign the IAM role
Actions → Security → Modify IAM role
From here search for then select the IAM role and click ‘Update IAM role’
Step 45) Create DNS Entry
Navigate to the Route 53 service page, then further to the hosted zone you wish to manage. Create an 'A' record for the application providing the IP address output at the end of script execution.
...