Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Login to AWS Management Console.

  • The virtual machine needs the policies described below assigned to it. One suggested way would be to create a specific role for the VM and assign the created policies to that role. The information below uses the ‘JSON’ view to enable faster policy creation

Info

If you are creating new policies, prepending them with the same string will allow for easier retrieval when creating the role and selecting the policies assigned to it.

Allow read of cost and usage data

  • Navigate to the IAM console and create a new policy with the json described permissions below

Code Block
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "ce:GetCostAndUsage",
            "Resource": "*"
        }
    ]
}

Allow Read of created secret

  • Find the secret name in the script output and replace {SecretNameHere} with the secret name and {AWS account ID} with your account id

Info

You will need to update this policy definition with your aws account ID and secret name.

Code Block
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "secretsmanager:GetSecretValue",
            "Resource": "arn:aws:secretsmanager:*:{AWS Account ID}:secret:{SecretNameHere}*"
        }
    ]
}

Allow management of DynamoDB and Simple Queue Service

  • Create the third policy:

Info

You will need to update this policy definition with your aws account ID.

Code Block
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "dynamodb:CreateTable",
                "sqs:DeleteMessage",
                "sqs:GetQueueUrl",
                "dynamodb:UpdateTimeToLive",
                "dynamodb:DescribeTable",
                "sqs:ReceiveMessage",
                "dynamodb:Scan",
                "dynamodb:Query",
                "sqs:CreateQueue"
            ],
            "Resource": [
                "arn:aws:dynamodb:*:{AWS account ID}:table/*bplm*",
                "arn:aws:sqs:*:{AWS account ID}:*bplm*"
            ]
        }
    ]
}

Allow s3 bucket tag get\set

Code Block
{
   "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketTagging",
                "s3:PutBucketTagging"
            ],
            "Resource": "arn:aws:s3:::*"
        }
    ]
}

Allow EC2 tag management

Info

You will need to update this policy definition with your aws account ID.

Code Block
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ec2:DeleteTags",
                "ec2:CreateTags"
            ],
            "Resource": "arn:aws:ec2:*:{AWS Account ID}:natgateway/*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeVpcs",
                "ec2:DescribeNatGateways"
            ],
            "Resource": "*"
        }
    ]
}

Step 4) Assign LHM Monitor IAM Role to VM instance

See Single AWS Account access policies for LHM for regular deployment or Cross AWS Account access policies for BPLM deployment for cross account AWS deployment.

Once the role is created, navigate to the EC2 instance and assign the IAM role

  • Actions → Security → Modify IAM role

    • From here search for then select the IAM role and click ‘Update IAM role’

Step 45) Create DNS Entry

  • Navigate to the Route 53 service page, then further to the hosted zone you wish to manage. Create an 'A' record for the application providing the IP address output at the end of script execution.

...