This page explains how to set up an AWS account so that ACTIVATE can manage your AWS infrastructure, clusters, billing, storage, and usage data.
Persona
The steps included on this page should be completed by a cloud engineer in your organization.
We recommend creating a new AWS account for the ACTIVATE platform, which will allow you to keep your existing AWS account separate from the platform and make it easier to manage billing and usage data. This will also ensure the principle of least privilege, as ACTIVATE will only have access to the resources it needs to manage.
If you use AWS Organizations, you can create a new account within your organization. Otherwise, you can make a non-organization account.
To get started quickly, you can create a new IAM User and assign the AdministratorAccess AWS-managed policy to it.
Alternatively, you can create the policies listed in AWS Policies below, then attach those policies to the IAM user.
ACTIVATE requires the use of an AWS access key to authenticate with AWS. If you don't have an access key, you can create one.
Security Best Practices
The ACTIVATE platform will immediately rotate the secret access key after it's entered into the system. The platform will then use the rotated secret access key to generate short-term credentials, which will be used by all ACTIVATE services.
For more information about AWS keys and security best practices, see this FAQ on the AWS website.
This section includes the policies you’ll need to attach to the IAM user you create for ACTIVATE. You can create these policies in the IAM console, or you can create them in the AWS CLI by entering the JSON files listed under each policy.
This policy allows ACTIVATE to manage EC2 resources.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "pwec2mgmt",
"Effect": "Allow",
"Action": [
"ec2:AllocateAddress",
"ec2:AssociateAddress",
"ec2:AssociateDhcpOptions",
"ec2:AssociateRouteTable",
"ec2:AttachInternetGateway",
"ec2:AttachVolume",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateDhcpOptions",
"ec2:CreateImage",
"ec2:CreateInternetGateway",
"ec2:CreateKeyPair",
"ec2:CreateNatGateway",
"ec2:CreateNetworkInterface",
"ec2:CreatePlacementGroup",
"ec2:CreateRoute",
"ec2:CreateRouteTable",
"ec2:CreateSecurityGroup",
"ec2:CreateSnapshot",
"ec2:CreateSubnet",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:CreateVpc",
"ec2:DeleteDhcpOptions",
"ec2:DeleteInternetGateway",
"ec2:DeleteKeyPair",
"ec2:DeleteNatGateway",
"ec2:DeletePlacementGroup",
"ec2:DeleteRoute",
"ec2:DeleteRouteTable",
"ec2:DeleteSecurityGroup",
"ec2:DeleteSnapshot",
"ec2:DeleteSubnet",
"ec2:DeleteVolume",
"ec2:DeleteVpc",
"ec2:DeregisterImage",
"ec2:DescribeAccountAttributes",
"ec2:DescribeAddresses",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeDhcpOptions",
"ec2:DescribeImages",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeInstanceTypes",
"ec2:DescribeInstances",
"ec2:DescribeInternetGateways",
"ec2:DescribeKeyPairs",
"ec2:DescribeNatGateways",
"ec2:DescribeNetworkAcls",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribePlacementGroups",
"ec2:DescribeRegions",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSnapshots",
"ec2:DescribeSubnets",
"ec2:DescribeTags",
"ec2:DescribeVolumes",
"ec2:DescribeVpcAttribute",
"ec2:DescribeVpcClassicLink",
"ec2:DescribeVpcClassicLinkDnsSupport",
"ec2:DescribeVpcs",
"ec2:DetachInternetGateway",
"ec2:DetachVolume",
"ec2:DisassociateAddress",
"ec2:DisassociateRouteTable",
"ec2:GetPasswordData",
"ec2:ImportKeyPair",
"ec2:ModifyImageAttribute",
"ec2:ModifyInstanceAttribute",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:ModifySubnetAttribute",
"ec2:ModifyVpcAttribute",
"ec2:RegisterImage",
"ec2:ReleaseAddress",
"ec2:RevokeSecurityGroupEgress",
"ec2:RunInstances",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances"
],
"Resource": "*"
}
]
}This policy allows ACTIVATE to manage FSx resources.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "pwfsxmgmt",
"Effect": "Allow",
"Action": [
"fsx:CreateFilesystem",
"fsx:DeleteFilesystem",
"fsx:DescribeFilesystems",
"fsx:ListTagsForResource",
"fsx:TagResource",
"fsx:UntagResource",
"iam:CreateServiceLinkedRole",
"iam:PutRolePolicy"
],
"Resource": "*"
}
]
}Note
iam:CreateServiceLinkedRole and iam:PutRolePolicy are required for using S3 import/export with FSx.
If S3 import/export is not needed, these permissions can be removed.
This policy allows ACTIVATE to manage Route 53 resources.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "pwroute53mgmt",
"Effect": "Allow",
"Action": [
"route53:ChangeResourceRecordSets",
"route53:ChangeTagsForResource",
"route53:CreateHostedZone",
"route53:DeleteHostedZone",
"route53:GetChange",
"route53:GetDNSSEC",
"route53:GetHostedZone",
"route53:ListHostedZones",
"route53:ListResourceRecordSets",
"route53:ListTagsForResource"
],
"Resource": "*"
}
]
}This policy allows ACTIVATE to create federated users used for short term tokens.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "pwstsmgmt",
"Effect": "Allow",
"Action": ["sts:GetCallerIdentity", "sts:GetFederationToken"],
"Resource": "*"
}
]
}If you're using a Transit Gateway account, these additional permissions are necessary to attach created VPCs to the Transit Gateway.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "pwfsxmgmt",
"Effect": "Allow",
"Action": [
"ec2:CreateTransitGatewayVpcAttachment",
"ec2:DescribeTransitGatewayVpcAttachments",
"ec2:DescribeTransitGateways",
"ec2:DeleteTransitGatewayVpcAttachment"
],
"Resource": "*"
}
]
}This policy allows ACTIVATE to access billing information and Create and Mange S3 Buckets.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cur:*",
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:DeleteBucketPolicy",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetAccelerateConfiguration",
"s3:GetBucketAcl",
"s3:GetBucketCORS",
"s3:GetBucketLocation",
"s3:GetBucketLogging",
"s3:GetBucketObjectLockConfiguration",
"s3:GetBucketPolicy",
"s3:GetBucketPolicyStatus",
"s3:GetBucketRequestPayment",
"s3:GetBucketTagging",
"s3:GetBucketVersioning",
"s3:GetBucketWebsite",
"s3:GetEncryptionConfiguration",
"s3:GetLifecycleConfiguration",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectVersion",
"s3:GetReplicationConfiguration",
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:ListBucketVersions"
"s3:ListBucketVersions",
"s3:PutAccelerateConfiguration",
"s3:PutBucketAcl",
"s3:PutBucketCORS",
"s3:PutBucketLogging",
"s3:PutBucketObjectLockConfiguration",
"s3:PutBucketPolicy",
"s3:PutBucketRequestPayment",
"s3:PutBucketTagging",
"s3:PutBucketVersioning",
"s3:PutBucketWebsite",
"s3:PutEncryptionConfiguration",
"s3:PutLifecycleConfiguration",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:PutReplicationConfiguration"
],
"Resource": "*"
}
]
}This policy allows ACTIVATE to create and manage EFS storages.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "pwstoragemgmt",
"Effect": "Allow",
"Action": [
"elasticfilesystem:CreateFileSystem",
"elasticfilesystem:CreateMountTarget",
"elasticfilesystem:DeleteFileSystem",
"elasticfilesystem:DeleteMountTarget",
"elasticfilesystem:DescribeFileSystems",
"elasticfilesystem:DescribeLifecycleConfiguration",
"elasticfilesystem:DescribeMountTargetSecurityGroups",
"elasticfilesystem:DescribeMountTargets",
"elasticfilesystem:TagResource"
],
"Resource": "*"
}
]
}