AWS account configuration

Required permissions

Generally speaking, we subscribe to the principle of least privilege. However, since it is common for many developers to have the AWS managed policy AdministratorAccess, we recommend this as the easiest way to get started on AWS.

If you can't get this access or do not want to use it, you will need to build a customer managed policy and add a user. These are the required permissions for the policy:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"autoscaling:CreateAutoScalingGroup",
"autoscaling:DeleteAutoScalingGroup",
"autoscaling:CreateLaunchConfiguration",
"autoscaling:DeleteLaunchConfiguration",
"autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeScalingActivities",
"ec2:AllocateAddress",
"ec2:AssociateRouteTable",
"ec2:AttachInternetGateway",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateInternetGateway",
"ec2:CreateNatGateway",
"ec2:CreateRoute",
"ec2:CreateRouteTable",
"ec2:CreateSecurityGroup",
"ec2:CreateSubnet",
"ec2:CreateTags",
"ec2:CreateVpc",
"ec2:CreateVpcEndpoint",
"ec2:DescribeVpcs",
"ec2:DescribeVpcAttribute",
"ec2:DescribeVpcEndpoints",
"ec2:DeleteInternetGateway",
"ec2:DeleteNatGateway",
"ec2:DeleteRouteTable",
"ec2:DeleteSecurityGroup",
"ec2:DeleteSubnet",
"ec2:DeleteVpc",
"ec2:DeleteVpcEndpoints",
"ec2:DescribeSubnets",
"ec2:DescribeInternetGateways",
"ec2:DescribeAddresses",
"ec2:DescribeNatGateways",
"ec2:DetachInternetGateway",
"ec2:DescribeRouteTables",
"ec2:DisassociateRouteTable",
"ec2:ModifyVpcAttribute",
"ec2:ReleaseAddress",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:DescribeSecurityGroups",
"eks:CreateCluster",
"eks:DeleteCluster",
"eks:DescribeCluster",
"eks:TagResource",
"eks:ListClusters",
"iam:AddRoleToInstanceProfile",
"iam:AttachRolePolicy",
"iam:CreateInstanceProfile",
"iam:CreatePolicy",
"iam:CreateRole",
"iam:DeleteInstanceProfile",
"iam:DeletePolicy",
"iam:DeleteRole",
"iam:DetachRolePolicy",
"iam:RemoveRoleFromInstanceProfile",
"iam:ListPolicies",
"iam:ListRoles",
"iam:PassRole",
"iam:GetInstanceProfile",
"rds:CreateDBCluster",
"rds:CreateDBInstance",
"rds:CreateDBSubnetGroup",
"rds:DeleteDBCluster",
"rds:DeleteDBInstance",
"rds:DeleteDBSubnetGroup",
"rds:AddTagsToResource",
"rds:DescribeDBSubnetGroups",
"rds:DescribeDBClusters",
"rds:DescribeDBInstances",
"route53:CreateHostedZone",
"route53:ChangeResourceRecordSets",
"route53:ListResourceRecordSets",
"route53:DeleteHostedZone",
"route53:GetChange",
"route53:ListHostedZones",
"route53:ListHostedZonesByName",
"s3:CreateBucket",
"s3:GetLifecycleConfiguration",
"s3:PutLifecycleConfiguration",
"s3:ListBucket",
"sts:GetCallerIdentity",
"sts:GetSessionToken",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DeleteLoadBalancer"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": [
"autoscaling.amazonaws.com",
"eks.amazonaws.com",
"elasticloadbalancing.amazonaws.com"
]
}
}
}
]
}