Book a Demo
Book a Demo

IAM roles and policies created (AWS)

YT Liang

Below are the IAM roles and policies created when deploying Memory Machine Cloud through AWS Marketplace, via the CloudFormation script.

There are two types of objects, OpCenter and WorkerNode, and Memory Machine Cloud will create different IAM roles for them.

For OpCenter

  • license-manager:* (to query the license in license manager)
  • pricing:* (to query the cloud resource price)
  • IAM roles: (these are limited in the local AWS account)
    iam:GetRole
    iam:AttachRolePolicy
    iam:CreateRole
    iam:PutRolePolicy
    iam:PassRole
    iam:CreateServiceLinkedRole
  • EC2 roles: (to allow Memory Machine Cloud to create and control an EC2 instance, for those delete related action, Memory Machine Cloud limited to the resource which created by Memory Machine Cloud)
    ec2:Get*
    ec2:Describe*
    ec2:RunInstances
    ec2:StartInstances
    ec2:StopInstances
    ec2:Create*
    ec2:Modify*
    ec2:AttachVolume
    ec2:DetachVolume
    ec2:DeleteVolume
    ec2:DeleteSecurityGroup
    ec2:TerminateInstances
    ec2:DeleteSnapshot
  • S3 roles: (to allow Memory Machine Cloud to access the customer data which is in the local AWS account’s s3 bucket or public buckets)
    s3:DeleteObject
    s3:Put*
    s3:Replicate*
    s3:Restore*
    s3:CreateBucket
    s3:DeleteBucket
    s3:Update*
    s3:List*
    s3:Get*
    s3:Describe*
  • ECR roles: (to allow Memory Machine Cloud to access the customer’s ECR repo)
    ecr:GetDownloadUrlForLayer
    ecr:BatchGetImage
    ecr:DescribeImages
    ecr:ListImages
    ecr:GetAuthorizationToken
    ecr:BatchCheckLayerAvailability
  • Marketplace roles: (to allow Memory Machine Cloud to push the Metering Usage)
    aws-marketplace:MeterUsage

For WorkerNode, the role is the subset of the OpCenter

  • IAM roles:
    iam:PassRole
  • EC2 roles:
    ec2:Get*
    ec2:Describe*
    ec2:StopInstances
    ec2:Create*
    ec2:Modify*
    ec2:AttachVolume
    ec2:DetachVolume
    ec2:DeleteVolume
    ec2:TerminateInstances
    ec2:DeleteSnapshot
  • S3 roles: (to allow Memory Machine Cloud to access the customer data which is in the local AWS account’s s3 bucket or public buckets)
    s3:DeleteObject
    s3:Put*
    s3:Replicate*
    s3:Restore*
    s3:Update*
    s3:List*
    s3:Get*
    s3:Describe*
  • ECR roles: (to allow Memory Machine Cloud to access the customer’s ECR repo)
    ecr:GetDownloadUrlForLayer
    ecr:BatchGetImage
    ecr:DescribeImages
    ecr:ListImages
    ecr:GetAuthorizationToken
    ecr:BatchCheckLayerAvailability