Below you will find the steps you need to take in order to create the AWS IAM Role needed by the LHM application. LHM needs this IAM role with this permissions set so it can access the Amazon Secret, Amazon DynamoDB, Amazon SQS and also gather AWS cost data on the resources being monitored.
Open your AWS Web Console and log in
Go to IAM - Roles
Click on Create role
Select AWS Service as the Entity Type and EC2 as the Use Case and click Next
On the permissions page, click on Create policy
Select the JSON tab and paste the following (please fill in the gaps as per the required information (e.g AWS Account ID)
{ "Version": "2012-10-17", "Statement": [ { "Sid": "BplmCostReader", "Effect": "Allow", "Action": "ce:GetCostAndUsage", "Resource": "*" }, { "Sid": "BplmSecretsReader", "Effect": "Allow", "Action": "secretsmanager:GetSecretValue", "Resource": "arn:aws:secretsmanager:*:{AWS Account ID}:secret:{SecretNameHere}" }, { "Sid": "BplmDynamoPolicy", "Effect": "Allow", "Action": [ "dynamodb:CreateTable", "dynamodb:UpdateTimeToLive", "dynamodb:DescribeTable", "dynamodb:Scan", "dynamodb:Query" ], "Resource": [ "arn:aws:dynamodb:*:{AWS account ID}:table/*bplm*" ] }, { "Sid": "BplmSqsPolicy", "Effect": "Allow", "Action": [ "sqs:DeleteMessage", "sqs:GetQueueUrl", "sqs:ReceiveMessage", "sqs:CreateQueue" ], "Resource": [ "arn:aws:sqs:*:{AWS account ID}:*bplm*" ] } ] }
On the Review page, give your role a name and click Create Policy, and finish creating the IAM Role by giving the role a name and clicking Create role
0 Comments