Cloud Permissions

Connecting Your AWS Account: Cloud Permissions #

When you run the provided CloudFormation template in your AWS account, Stackbooster is granted specific permissions necessary to manage and operate EKS clusters on your behalf. These permissions are essential for provisioning, maintaining, scaling, and deprovisioning the infrastructure, ensuring seamless and automated operations. This document outlines the permissions granted, grouped by their purpose, and explains their roles in the Stackbooster ecosystem.

Permissions Granted #

1. EC2 Management #

Stackbooster requires extensive permissions to manage EC2 resources, necessary for provisioning and maintaining the infrastructure required for EKS clusters. The following permissions are granted to enable these operations:

  • VPC Management:

    • ec2:CreateVpc, ec2:DeleteVpc
    • ec2:CreateInternetGateway, ec2:AttachInternetGateway, ec2:DeleteInternetGateway, ec2:DetachInternetGateway
    • ec2:CreateRouteTable, ec2:DeleteRouteTable, ec2:AssociateRouteTable, ec2:DisassociateRouteTable
    • ec2:CreateRoute, ec2:DeleteRoute
    • ec2:CreateSubnet, ec2:DeleteSubnet, ec2:DescribeSubnets, ec2:ModifySubnetAttribute
  • Security Group Management:

    • ec2:CreateSecurityGroup, ec2:DeleteSecurityGroup, ec2:DescribeSecurityGroups
    • ec2:AuthorizeSecurityGroupIngress, ec2:AuthorizeSecurityGroupEgress
    • ec2:RevokeSecurityGroupIngress, ec2:RevokeSecurityGroupEgress
  • Instance Management:

    • ec2:RunInstances, ec2:TerminateInstances
    • ec2:DescribeInstances, ec2:StartInstances, ec2:StopInstances, ec2:MonitorInstances
    • ec2:AttachVolume, ec2:DetachVolume, ec2:ModifyInstanceAttribute
    • ec2:CreateLaunchTemplate, ec2:DeleteLaunchTemplate, ec2:DescribeLaunchTemplates
    • ec2:RequestSpotInstances, ec2:CancelSpotInstanceRequests, ec2:DescribeSpotInstanceRequests
  • Resource Management:

    • ec2:CreateSnapshot, ec2:DeleteSnapshot
    • ec2:CreateTags, ec2:DeleteTags
    • ec2:CreateVolume, ec2:DeleteVolume, ec2:ModifyVolume

2. EKS Management #

To provision, manage, and deprovision EKS clusters, Stackbooster requires the following permissions:

  • eks:ListClusters, eks:DescribeCluster, eks:CreateCluster, eks:DeleteCluster
  • eks:ListNodegroups, eks:DescribeNodegroup, eks:CreateNodegroup, eks:DeleteNodegroup
  • eks:TagResource, eks:CreateAddon, eks:DeleteAddon, eks:DescribeAddon, eks:ListAddons, eks:UpdateAddon
  • eks:CreateAccessEntry, eks:DeleteAccessEntry, eks:DescribeAccessEntry, eks:ListAccessEntries
  • eks:AssociateAccessPolicy, eks:DisassociateAccessPolicy, eks:ListAccessPolicies, eks:ListAssociatedAccessPolicies

3. IAM Management #

Stackbooster needs IAM permissions to manage roles and policies, ensuring proper access control for the EKS clusters:

  • iam:CreateRole, iam:DeleteRole, iam:GetRole, iam:ListRoles
  • iam:AttachRolePolicy, iam:DetachRolePolicy, iam:PutRolePolicy, iam:DeleteRolePolicy
  • iam:PassRole, iam:ListAttachedRolePolicies
  • iam:CreateInstanceProfile, iam:DeleteInstanceProfile, iam:GetInstanceProfile, iam:ListInstanceProfiles, iam:ListInstanceProfilesForRole
  • iam:CreateOpenIDConnectProvider, iam:DeleteOpenIDConnectProvider

4. CloudFormation Management #

These permissions allow Stackbooster to create, update, and manage CloudFormation stacks, facilitating the automation of resource provisioning:

  • cloudformation:CreateStack, cloudformation:DeleteStack, cloudformation:UpdateStack
  • cloudformation:CreateChangeSet, cloudformation:Describe*, cloudformation:List*

5. Auto Scaling Management #

To ensure efficient scaling of resources, Stackbooster requires the following permissions to manage Auto Scaling groups:

  • autoscaling:CreateAutoScalingGroup, autoscaling:DeleteAutoScalingGroup, autoscaling:UpdateAutoScalingGroup

Role Assumption #

Stackbooster’s AWS account assumes a role in the tenant’s AWS account, which grants the above permissions. The role assumption is facilitated by the following configuration:

  • Assume Role Policy: Allows Stackbooster’s AWS account to assume the role using sts:AssumeRole with the provided ExternalId.

  • Security Audit: Provides read-only access to AWS services and resources for auditing and monitoring purposes.