Preparing AWS
This page explains how to set up an AWS account so it's ready for the PW platform to manage infrastructure, clusters, billing, storage, and usage data.
The steps included on this page should be completed by a cloud engineer in your organization.
AWS Account
We recommend creating a new AWS account for the PW platform, which will allow you to keep your existing AWS account separate from the platform and make it easier to manage billing and usage data. This will also ensure the principle of least privilege, as the PW platform will only have access to the resources it needs to manage.
If you use AWS Organizations, you can create a new account within your organization. Otherwise, you can make a non-organization account.
Setting Up AWS Credentials
To get started quickly, you can create a new IAM User and assign the AdministratorAccess AWS-managed policy to it.
Alternatively, you can create the policies listed in AWS Policies below, then attach those policies to the IAM user.
Create an Access Key
The PW platform requires the use of an AWS access key to authenticate with AWS. If you don't have an access key, you can create one.
The PW platform will immediately rotate the secret access key after it's entered into the system. The platform will then use the rotated secret access key to generate short-term credentials, which will be used by all PW platform services.
For more information about AWS keys and security best practices, see this FAQ on the AWS website.
AWS Policies
This section includes the policies you’ll need to attach to the IAM user you create for the PW platform. You can create these policies in the IAM console, or you can create them in the AWS CLI by entering the JSON files listed under each policy.
pw-ec2-mgmt
This policy allows PW to manage EC2 resources.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "pwec2mgmt",
"Effect": "Allow",
"Action": [
"ec2:AllocateAddress",
"ec2:AssociateAddress",
"ec2:AssociateDhcpOptions",
"ec2:AssociateRouteTable",
"ec2:AttachInternetGateway",
"ec2:AttachNetworkInterface",
"ec2:AttachVolume",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CopyImage",
"ec2:CreateDhcpOptions",
"ec2:CreateImage",
"ec2:CreateInternetGateway",
"ec2:CreateKeyPair",
"ec2:CreateNatGateway",
"ec2:CreateNetworkInterface",
"ec2:CreatePlacementGroup",
"ec2:CreateRoute",
"ec2:CreateRouteTable",
"ec2:CreateSecurityGroup",
"ec2:CreateSnapshot",
"ec2:CreateSubnet",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:CreateVpc",
"ec2:DeleteDhcpOptions",
"ec2:DeleteInternetGateway",
"ec2:DeleteKeyPair",
"ec2:DeleteNatGateway",
"ec2:DeleteNetworkInterface",
"ec2:DeletePlacementGroup",
"ec2:DeleteRoute",
"ec2:DeleteRouteTable",
"ec2:DeleteSecurityGroup",
"ec2:DeleteSnapshot",
"ec2:DeleteSubnet",
"ec2:DeleteTags",
"ec2:DeleteVolume",
"ec2:DeleteVpc",
"ec2:DeregisterImage",
"ec2:DescribeAccountAttributes",
"ec2:DescribeAddresses",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeDhcpOptions",
"ec2:DescribeImageAttribute",
"ec2:DescribeImages",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeInstanceStatus",
"ec2:DescribeInstanceTypes",
"ec2:DescribeInstances",
"ec2:DescribeInternetGateways",
"ec2:DescribeKeyPairs",
"ec2:DescribeNatGateways",
"ec2:DescribeNetworkAcls",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribePlacementGroups",
"ec2:DescribeRegions",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSnapshots",
"ec2:DescribeSubnets",
"ec2:DescribeTags",
"ec2:DescribeVolumes",
"ec2:DescribeVpcAttribute",
"ec2:DescribeVpcClassicLink",
"ec2:DescribeVpcClassicLinkDnsSupport",
"ec2:DescribeVpcs",
"ec2:DetachInternetGateway",
"ec2:DetachNetworkInterface",
"ec2:DetachVolume",
"ec2:DisassociateAddress",
"ec2:DisassociateRouteTable",
"ec2:GetPasswordData",
"ec2:ImportKeyPair",
"ec2:ModifyImageAttribute",
"ec2:ModifyInstanceAttribute",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:ModifySnapshotAttribute",
"ec2:ModifySubnetAttribute",
"ec2:ModifyVpcAttribute",
"ec2:RegisterImage",
"ec2:ReleaseAddress",
"ec2:RevokeSecurityGroupEgress",
"ec2:RunInstances",
"ec2:StopInstances",
"ec2:TerminateInstances"
],
"Resource": "*"
}
]
}
pw-fsx-mgmt
This policy allows PW to manage FSx resources.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "pwfsxmgmt",
"Effect": "Allow",
"Action": [
"fsx:CreateFilesystem",
"fsx:DeleteFilesystem",
"fsx:DescribeFilesystems",
"fsx:ListTagsForResource",
"fsx:TagResource",
"fsx:UntagResource"
],
"Resource": "*"
}
]
}
pw-iam-mgmt
This policy allows PW to manage IAM resources.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "pwiammgmt",
"Effect": "Allow",
"Action": [
"iam:AddRoleToInstanceProfile",
"iam:CreateAccessKey",
"iam:CreateInstanceProfile",
"iam:CreateRole",
"iam:CreateServiceLinkedRole",
"iam:CreateUser",
"iam:DeleteAccessKey",
"iam:DeleteInstanceProfile",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:DeleteUser",
"iam:DeleteUserPolicy",
"iam:GetInstanceProfile",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:GetUser",
"iam:GetUserPolicy",
"iam:ListAccessKeys",
"iam:ListAttachedRolePolicies",
"iam:ListGroupsForUser",
"iam:ListInstanceProfilesForRole",
"iam:ListRolePolicies",
"iam:PassRole",
"iam:PutRolePolicy",
"iam:PutUserPolicy",
"iam:RemoveRoleFromInstanceProfile",
"iam:TagRole",
"iam:TagUser",
"iam:UntagRole",
"iam:UntagUser"
],
"Resource": "*"
}
]
}
pw-route53-mgmt
This policy allows PW to manage Route 53 resources.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "pwroute53mgmt",
"Effect": "Allow",
"Action": [
"route53:*",
"route53:ChangeResourceRecordSets",
"route53:ChangeTagsForResource",
"route53:CreateHostedZone",
"route53:DeleteHostedZone",
"route53:GetChange",
"route53:GetDNSSEC",
"route53:GetHostedZone",
"route53:ListResourceRecordSets",
"route53:ListTagsForResource"
],
"Resource": "*"
}
]
}
pw-sts-mgmt
This policy allows PW to manage STS resources.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "pwstsmgmt",
"Effect": "Allow",
"Action": [
"sts:GetCallerIdentity",
"sts:GetCallerIdentity",
"sts:GetFederationToken"
],
"Resource": "*"
}
]
}
pw-tgw-mgmt
If you're using a Transit Gateway account, these additional permissions are necessary to attach created VPCs to the Transit Gateway.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "pwfsxmgmt",
"Effect": "Allow",
"Action": [
"ec2:CreateTransitGatewayVpcAttachment",
"ec2:DescribeTransitGatewayVpcAttachments",
"ec2:DescribeTransitGateways",
"ec2:DeleteTransitGatewayVpcAttachment"
],
"Resource": "*"
}
]
}
pw-billing
This policy allows PW to access billing information.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetLifecycleConfiguration",
"s3:GetBucketTagging",
"s3:PutAccelerateConfiguration",
"s3:DeleteObjectVersion",
"s3:ListBucketVersions",
"s3:GetBucketLogging",
"s3:CreateBucket",
"s3:ListBucket",
"s3:GetAccelerateConfiguration",
"s3:GetBucketPolicy",
"s3:PutEncryptionConfiguration",
"s3:GetObjectAcl",
"s3:GetEncryptionConfiguration",
"s3:GetBucketObjectLockConfiguration",
"s3:PutBucketTagging",
"s3:GetBucketRequestPayment",
"s3:PutLifecycleConfiguration",
"s3:PutBucketAcl",
"cur:*",
"s3:DeleteObject",
"s3:DeleteBucket",
"s3:PutBucketVersioning",
"s3:PutObjectAcl",
"s3:GetBucketPolicyStatus",
"s3:GetBucketWebsite",
"s3:PutReplicationConfiguration",
"s3:GetBucketVersioning",
"s3:PutBucketCORS",
"s3:GetBucketAcl",
"s3:DeleteBucketPolicy",
"s3:GetReplicationConfiguration",
"s3:PutObject",
"s3:GetObject",
"s3:PutBucketWebsite",
"s3:ListAllMyBuckets",
"s3:PutBucketRequestPayment",
"s3:PutBucketLogging",
"s3:GetBucketCORS",
"s3:PutBucketPolicy",
"s3:PutBucketObjectLockConfiguration",
"s3:GetBucketLocation",
"s3:GetObjectVersion"
],
"Resource": "*"
}
]
}