openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 12:46:18 +01:00
Code Issues Releases Activity
Files
7709fa2278d552faf114b8205e080489fb163a5b
openshift-docs/modules/installation-aws-access-analyzer.adoc
Brendan Daly 7709fa2278 OSDOCS-16989_2:updating CQAs
2025-12-16 16:59:59 +00:00

30 lines
2.5 KiB
Plaintext
Raw Blame History

:_mod-docs-content-type: PROCEDURE
[id="create-custom-permissions-for-iam-instance-profiles_{context}"]
= Using AWS IAM Analyzer to create policy templates
[role="_abstract"]
To reduce security risk, you can use AWS IAM Access Analyzer and CloudTrail to generate and apply minimal, fine-grained IAM policies for cluster control plane and compute instance profiles.
The minimal set of permissions that the control plane and compute instance profiles require depends on how the cluster is configured for its daily operation.
One way to determine which permissions the cluster instances require is to use the AWS Identity and Access Management Access Analyzer (IAM Access Analyzer) to create a policy template:
* A policy template contains the permissions the cluster has used over a specified period of time.
* You can then use the template to create policies with fine-grained permissions.
.Procedure
. Ensure that CloudTrail is enabled. CloudTrail records all of the actions and events in your AWS account, including the API calls that are required to create a policy template. For more information, see the AWS documentation for https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-getting-started.html[working with CloudTrail].
. Create an instance profile for control plane instances and an instance profile for compute instances. Be sure to assign each role a permissive policy, such as PowerUserAccess. For more information, see the AWS documentation for
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html[creating instance profile roles].
. Install the cluster in a development environment and configure it as required. Be sure to deploy all of applications the cluster will host in a production environment.
. Test the cluster thoroughly. Testing the cluster ensures that all of the required API calls are logged.
. Use the IAM Access Analyzer to create a policy template for each instance profile. For more information, see the AWS documentation for https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-generation.html[generating policies based on the CloudTrail logs].
. Create and add a fine-grained policy to each instance profile.
. Remove the permissive policy from each instance profile.
. Deploy a production cluster using the existing instance profiles with the new policies.
+
[NOTE]
====
You can add https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html[IAM Conditions] to your policy to make it more restrictive and compliant with your organization security requirements.
====
View Git Blame Copy Permalink