AWS Permissions Needed to Configure and Use DynaCenter Using DynaCenter Launch
Reference Number: AA-00386 Views: 6848 Created: 06-30-2016 07:19 Last Updated: 08-03-2017 15:31

Applies To:

DynaCenter Launch

Background: 

DynaCenter Launch provides an easy mechanism for configuring DynaCenter after DynaCenter is installed into an Amazon environment. 

When you use DynaCenter Launch to configure DynaCenter, you must provide the AWS credentials for an IAM identity that has the appropriate permissions policy to use DynaCenter to migrate servers. The IAM identity can be any of the following:

  • an IAM user with the appropriate permissions
  • an IAM user who can assume an IAM role that has the appropriate permissions

    Note: This can include the role assigned to the DynaCenter instance.

  • an IAM user who belongs to an IAM group that has the appropriate permissions

This article identifies the AWS permissions that must be assigned to the IAM identity.

More Information:

The following article provides information about creating an IAM user:

http://docs.aws.amazon.com/IAM/latest/UserGuide/Using_SettingUpUser.html

The following article provides information about the permissions needed to install DynaCenter from the AWS Marketplace:

https://racemi.host4kb.com/article/AA-00390

The following article provides information about the permissions needed to install DynaCenter from a DynaCenter Amazon Machine Image (AMI):

https://racemi.host4kb.com/article/AA-00419

Resolution: 

The following sample policy outlines the minimum permissions needed to configure DynaCenter using DynaCenter Launch.

Sample Policy

{

    "Version": "2012-10-17",

    "Statement": [

        {

            "Sid": "Stmt1432040614000",

            "Effect": "Allow",

            "Action": [

                "ec2:AllocateAddress",

                "ec2:AssociateAddress",

                "ec2:AssociateRouteTable",

                "ec2:AttachVolume",

                "ec2:AuthorizeSecurityGroupEgress",

                "ec2:AuthorizeSecurityGroupIngress",

                "ec2:CopyImage",

                "ec2:CreateImage",

                "ec2:CreateKeyPair",

                "ec2:CreateNetworkInterface",

                "ec2:CreateRoute",

                "ec2:CreateRouteTable",

                "ec2:CreateSecurityGroup",

                "ec2:CreateSubnet",

                "ec2:CreateTags",

                "ec2:CreateVolume",

                "ec2:DeleteKeyPair",

                "ec2:DeleteNetworkInterface",

                "ec2:DeleteRouteTable",

                "ec2:DeleteSecurityGroup",

                "ec2:DeleteSnapshot",

                "ec2:DeleteSubnet",

                "ec2:DeleteVolume",

                "ec2:DeregisterImage",

                "ec2:DescribeAccountAttributes",

                "ec2:DescribeAddresses",

                "ec2:DescribeAvailabilityZones",

                "ec2:DescribeHosts",

                "ec2:DescribeImages",

                "ec2:DescribeInstances",

                "ec2:DescribeInstanceStatus",

                "ec2:DescribeInternetGateways",

                "ec2:DescribeKeyPairs",

                "ec2:DescribeNetworkInterfaces",

                "ec2:DescribeRouteTables",

                "ec2:DescribeRegions",

                "ec2:DescribeSecurityGroups",

                "ec2:DescribeSubnets",

                "ec2:DescribeTags",

                "ec2:DescribeVolumes",

                "ec2:DescribeVolumeStatus",

                "ec2:DescribeVpcs",

                "ec2:DetachNetworkInterface",

                "ec2:DisassociateAddress",

                "ec2:DisassociateRouteTable",

                "ec2:GetConsoleOutput",

                "ec2:GetPasswordData",

                "ec2:ModifyInstanceAttribute",

                "ec2:ModifyNetworkInterfaceAttribute",

                "ec2:ReleaseAddress",

                "ec2:RevokeSecurityGroupEgress",

                "ec2:RunInstances",

                "ec2:StartInstances",

                "ec2:StopInstances",

                "ec2:TerminateInstances"

            ],

            "Resource": [

                "*"

            ]

        },

        {

            "Sid": "Stmt1458161720000",

            "Effect": "Allow",

            "Action": [

                "iam:CreateAccessKey",

                "iam:DeleteAccessKey",

                "iam:GetInstanceProfile",

                "iam:GetRole",

                "iam:ListAccessKeys",

                "iam:ListInstanceProfilesForRole",

                "iam:ListRoles",

                "iam:PassRole"

            ],

            "Resource": [

                "*"

            ]

        },

        {

            "Sid": "Stmt1458161810000",

            "Effect": "Allow",

            "Action": [

                "cloudwatch:DescribeAlarms"

            ],

            "Resource": [

                "*"

            ]

        },

        {

            "Sid": "Stmt1458235190000",

            "Effect": "Allow",

            "Action": [

                "kms:DescribeKey",

                "kms:ListAliases",

                "kms:ListKeys"

            ],

            "Resource": [

                "*"

            ]

        }        

    ]

}