Creating an IAM Role

AWS Identity and Access Management (IAM) is a web service that enables you to manage users and user permissions in AWS. The service is targeted at organizations with multiple users or systems that use Amazon EC2, Amazon DynamoDB, and the AWS Management Console. With IAM, you can centrally manage users, security credentials such as access keys, and permissions that control user access to AWS resources.

This section describes how to create an IAM role. This section describes each step in the procedure, but does not discuss all of the options for each step. For more details, see the Amazon AWS documentation.

1. Sign into the AWS Management Console.

2. Open the IAM console.

3. Click Roles.

4. In the Roles page, click Create role.

5. Select the AWS service box.

6. From the Service or use case list, select EC2.

7. Choose a use case for the specified service.

8. Click Next.

9. Select the access policies for the role. For details on IAM policies, see IAM policies for Amazon EC2.

10. Click Next

11. Enter the name of the new role, review your settings and edit if you want to make changes. When done, click Create Role.

Minimal Privilleges

The minimal privileges needed to launch a MarkLogic CloudFormation template, as tested, are as follows:

Amazon has changed the pattern for the ARN (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html). The ARN now needs to specify the region and account details. This can be all regions and all accounts, which can be indicated using a wildcard “*”as in this example:

arn:aws:autoscaling:*:*:launchConfiguration::launchConfigurationName/*

Otherwise, the ARN should be specific to region, account, and the specific service, as in this example:

arn:aws:autoscaling:ap-southeast-2:758929958593:autoScalingGroup:*:autoScalingGroupName/*

CloudFormation

*   "cloudformation:CreateUploadBucket"
    
*   "cloudformation:DeleteStackInstances"
    
*   "cloudformation:ListExports"
    
*   "cloudformation:ListStackSetOperations"
    
*   "cloudformation:ListStackInstances"
    
*   "cloudformation:DescribeStackResource"
    
*   "cloudformation:CreateStackInstances"
    
*   "cloudformation:ListStackSetOperationResults"
    
*   "cloudformation:DescribeStackEvents"
    
*   "cloudformation:DescribeStackSetOperation"
    
*   "cloudformation:DescribeChangeSet"
    
*   "cloudformation:ListStackResources"
    
*   "cloudformation:ListStacks"
    
*   "cloudformation:ListImports"
    
*   "cloudformation:DescribeStackInstance"
    
*   "cloudformation:DescribeStackResources"
    
*   "cloudformation:GetTemplateSummary"
    
*   "cloudformation:DescribeStacks"
    
*   "cloudformation:GetStackPolicy"
    
*   "cloudformation:DescribeStackSet"
    
*   "cloudformation:ListStackSets"
    
*   "cloudformation:CreateStack"
    
*   "cloudformation:GetTemplate"
    
*   "cloudformation:DeleteStack"
    
*   "cloudformation:ValidateTemplate"
    
*   "cloudformation:ListChangeSets"
    
-----

*   "Resource": "*"

-----

Launch Template (required for v10.0 and up)  

*   "ec2:CreateLaunchTemplate"
    
*   "ec2:DeleteLaunchTemplate"
    
*   "ec2:DescribeLaunchTemplates"
    
*   "ec2:ModifyLaunchTemplate"
    
-----

*   "Resource": "arn:aws:ec2:::launch-template/*"

DynamoDB

*   "dynamodb:DeleteTable"
    
*   "dynamodb:CreateTable"
    
*   "dynamodb:DescribeTable"
    
-----

*   "Resource": "arn:aws:dynamodb:*:*:table/*MarkLogicDDBTable*"

EC2

*   "ec2:DisassociateAddress"
    
*   "ec2:DeleteSubnet"
    
*   "ec2:ModifyVolumeAttribute"
    
*   "ec2:DescribeAddresses"
    
*   "ec2:CreateNatGateway"
    
*   "ec2:CreateVpc"
    
*   "ec2:AttachInternetGateway"
    
*   "ec2:AssociateRouteTable"
    
*   "ec2:DescribeInternetGateways"
    
*   "ec2:DescribeAvailabilityZones"
    
*   "ec2:CreateInternetGateway"
    
*   "ec2:CreateSecurityGroup"
    
*   "ec2:DescribeVolumes"
    
*   "ec2:ModifyVpcAttribute"
    
*   "ec2:DescribeRouteTables"
    
*   "ec2:ReleaseAddress"
    
*   "ec2:CreateRouteTable"
    
*   "ec2:DetachInternetGateway"
    
*   "ec2:DescribeNatGateways"
    
*   "ec2:DisassociateRouteTable"
    
*   "ec2:AllocateAddress"
    
*   "ec2:DescribeSecurityGroups"
    
*   "ec2:DescribeVpcs"
    
*   "ec2:DeleteNatGateway"
    
*   "ec2:DescribeVpcEndpoints"
    
*   "ec2:DeleteVpc"
    
*   "ec2:CreateSubnet"
    
*   "ec2:DescribeSubnets"
    
-----

*   "Resource": "*"        

-----

*   "ec2:RevokeSecurityGroupIngress"
    
*   "ec2:DeleteRoute"
    
*   "ec2:AuthorizeSecurityGroupIngress"
    
*   "ec2:DeleteVpcEndpoints"
    
*   "ec2:DeleteRouteTable"
    
*   "ec2:CreateTags"
    
*   "ec2:CreateVolume"
    
*   "ec2:DeleteVolume"
    
*   "ec2:DeleteInternetGateway"
    
*   "ec2:DeleteSecurityGroup"
    
*   "ec2:CreateRoute"
    
*   "ec2:DeleteVpcEndpoints"
    
*   "ec2:CreateVpcEndpoint"        

-----

*   "Resources":
    
    *   "arn:aws:ec2:*:*:internet-gateway/*"
        
    *   "arn:aws:ec2:*:*:volume/*"
        
    *   "arn:aws:ec2:*:*:subnet/*"
        
    *   "arn:aws:ec2:*:*:route-table/*"
        
    *   "arn:aws:ec2:*:*:vpc-endpoint/*"
        
    *   "arn:aws:ec2:*:*:security-group/*"
        
    *   "arn:aws:ec2:*:*:vpc/*"
        
    *   "arn:aws:ec2:*:*:security-group/*"
        
    *   "arn:aws:ec2:*:*:route-table/*"
        
    *   "arn:aws:ec2:*:*:vpc-endpoint/*"
        
    *   "arn:aws:ec2:*:*:route-table/*"
        
    *   "arn:aws:ec2:*:*:security-group/*"
        
    *   "arn:aws:ec2:*:*:vpc-endpoint/*"
        
    *   "arn:aws:ec2:*:*:security-group/*"
        
    *   "arn:aws:ec2:*:*:route-table/*"          
    
-----

*   "ec2:CreateTag"
    
-----

*   "Resource": "*"

ElasticLoadBalancing

*   "elasticloadbalancing:DescribeLoadBalancers"
    
-----

*   "Resource": "*"
    
-----

*   "elasticloadbalancing:DeleteLoadBalancerPolicy"
    
*   "elasticloadbalancing:DeleteLoadBalancer"
    
*   "elasticloadbalancing:CreateLoadBalancer"
    
*   "elasticloadbalancing:ModifyLoadBalancerAttributes"
    
*   "elasticloadbalancing:CreateLoadBalancer"
    
*   "elasticloadbalancing:SetLoadBalancerPoliciesOfListener"
    
*   "elasticloadbalancing:CreateLoadBalancer"
    
*   "elasticloadbalancing:CreateLoadBalancerPolicy"
    
*   "elasticloadbalancing:ConfigureHealthCheck"
    
*   "elasticloadbalancing:SetLoadBalancerPoliciesOfListener"
    
*   "elasticloadbalancing:CreateLoadBalancerPolicy"
    
*   "elasticloadbalancing:DeleteLoadBalancerPolicy"
    
*   "elasticloadbalancing:ConfigureHealthCheck"
    
*   "elasticloadbalancing:SetLoadBalancerPoliciesOfListener"
    
*   "elasticloadbalancing:CreateLoadBalancer"
    
*   "elasticloadbalancing:CreateLoadBalancer"
    
*   "elasticloadbalancing:CreateLoadBalancer"
    
*   "elasticloadbalancing:DeleteLoadBalancer"
    
*   "elasticloadbalancing:CreateLoadBalancer"
    
*   "elasticloadbalancing:ModifyLoadBalancerAttributes"
    
*   "elasticloadbalancing:ConfigureHealthCheck"
    
*   "elasticloadbalancing:CreateLoadBalancerPolicy"

-----

*   "Resources": "arn:aws:elasticloadbalancing:*:*:loadbalancer/*"
      
-----

*   "elasticloadbalancing:AddTags"
    
*   "elasticloadbalancing:RemoveTags"
    
-----

*   "Resource": "*"

AutoScaling

*   "autoscaling:DescribeLaunchConfigurations"
    
*   "autoscaling:DescribeScalingActivities"
    
*   "autoscaling:DescribeAutoScalingGroups"
    
-----

*   "Resource": "*"
    
-----

*   "autoscaling:CreateLaunchConfiguration"
    
*   "autoscaling:DeleteLaunchConfiguration
    
*   "autoscaling:DeleteAutoScalingGroup"
    
*   "autoscaling:CreateAutoScalingGroup"
    
*   "autoscaling:UpdateAutoScalingGroup"
    
-----

*   "Resources":
    
    *   "arn:aws:autoscaling:*:*:launchConfiguration::launchConfigurationName/*"
        
    *   "arn:aws:autoscaling:*:*:autoScalingGroup::autoScalingGroupName/*"

SNS

*   "sns:ListSubscriptionsByTopic"
    
*   "sns:Publish"
    
*   "sns:GetTopicAttributes"
    
*   "sns:DeleteTopic"
    
*   "sns:CreateTopic"
    
*   "sns:ConfirmSubscription"
    
*   "sns:SetTopicAttributes"
    
*   "sns:Subscribe"
    
*   "sns:ListEndpointsByPlatformApplication"
    
*   "sns:Unsubscribe"
    
*   "sns:ListTopics"
    
*   "sns:ListSubscriptions"
    
*   "sns:ListPlatformApplications"
    
-----

*   "Resource": "*"

IAM

*   "iam:GetRole"
    
*   "iam:PassRole"
    
*   "iam:DeleteRolePolicy"
    
*   "iam:CreateRole"
    
*   "iam:DeleteRole"
    
*   "iam:PutRolePolicy"
    
-----

*   "Resource": "*"

Lambda

*   "lambda:CreateFunction"
    
*   "lambda:AddPermission"
    
*   "lambda:InvokeFunction"
    
*   "lambda:GetFunctionConfiguration"
    
*   "lambda:DeleteFunction"
    
*   "lambda:RemovePermission"
    
*   "lambda:PutFunctionConcurrency"
    
-----

*   "Resource": "arn:aws:lambda:*:*:function:*"

S3

*   "s3:PutObject"
    
*   "s3:GetObjectAcl"
    
*   "s3:GetObject"
    
*   "s3:CreateBucket"
    
*   "s3:GetObjectTagging"
    
*   "s3:GetBucketAcl"
    
*   "s3:GetBucketPolicy"
    
-----

*   "Resource": "*"
    
-----

*   "s3:PutBucketTagging"
    
-----

*   "Resource": "*"
    

<div class="note">

**Note:**

The following set of permissions are needed in a role that MarkLogic CloudFormation stack passes as an instance profile role. The permissions below are quoted because they are in JSON format.

</div>

DynamoDB

*   "dynamodb:PutItem"
    
*   "dynamodb:DescribeTable"
    
*   "dynamodb:GetItem"
    
*   "dynamodb:Scan"
    
*   "dynamodb:UpdateItem"
    
-----

*   "Resources": "arn:aws:dynamodb:*:*:table/*MarkLogicDDBTable*"

EC2

*   "ec2:AttachVolume"
    
*   "ec2:CreateVolume"
    
-----

*   "Resources":
    
    *   "arn:aws:ec2:*:*:volume/*"
        
    *   "arn:aws:ec2:*:*:instance/*"         
    
-----

*   "ec2:DescribeInstances"
    
-----

*   "Resource": "*"

SSM

*   "ssm:UpdateInstanceInformation"
    
*   "ssm:ListInstanceAssociations"
    
*   "ssm:ListAssociations"
    
*   "ssm:PutInventory"
    
*   "ssm:UpdateInstanceAssociationStatus"
    
-----

*   "Resource": "*"

EC2Messages

*   "ec2messages:GetMessages"
    
-----

*   "Resource": "*"
    

**SSMMessages**

*   "ssmmessages:OpenControlChannel"
    
*   "ssmmessages:CreateControlChannel"
    
-----

*   "Resource": "*"