AWS BYOC
Please read through Bring Your Own Cloud (BYOC) to understand BYOC in more detail.
Deployment Options
- Turnkey / default - creates a VPN and cluster for a fully managed install
- BYO-VPN - requires the customer to provide a VPN
Overview
This document guides you through giving Streamkap access to provision software to your AWS account. This access is limited to the permissions defined the IAM policies shared below, which can be removed once the setup process is complete, these permissions can be removed, ensuring your cloud account remains secure.
Here are the steps:
- Create an IAM policy granting permission to provision an install.
- Create an IAM policy granting permission to deprovision an install.
- Create an IAM role that uses those policies, and grants access to the vendor via a trust policy.
- Share the IAM role’s ARN with Streamkap
- (Optional) Remove the provision IAM policy.
1. Create the Provision Policy
- In the AWS console, navigate to the IAM control panel.
- Navigate to “Policies”.
- Click the orange “Create Policy” policy button
- Look for the “Policy editor”, where “visual” will be selected. Select “JSON”.
- Replace the entire policy contents JSON with the following
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Resource": "*",
"Action": [
"ec2:DescribeAddressesAttribute",
"ec2:CreateNetworkAclEntry",
"ecr:UntagResource",
"eks:ListAccessEntries",
"eks:CreateAccessEntry",
"eks:DescribeAccessEntry",
"eks:UpdateAccessEntry",
"eks:AssociateAccessPolicy",
"eks:DisassociateAccessPolicy",
"eks:CreateAddon",
"eks:DescribeAddon",
"eks:UpdateAddon",
"eks:DescribeAddonConfiguration",
"eks:DescribeAddonVersions",
"eks:ListAddons",
"eks:ListAssociatedAccessPolicies",
"eks:CreateCluster",
"eks:DescribeCluster",
"eks:CreateNodegroup",
"eks:DescribeNodegroup",
"eks:UpdateNodegroupVersion",
"eks:TagResource",
"eks:UntagResource",
"eks:ListTagsForResource",
"eks:DescribeUpdate",
"iam:UntagPolicy",
"iam:UntagRole",
"kms:UntagResource",
"logs:UntagResource",
"logs:ListTagsForResource",
"ec2:AllocateAddress",
"ec2:AssociateRouteTable",
"ec2:AttachInternetGateway",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateInternetGateway",
"ec2:CreateLaunchTemplate",
"ec2:CreateLaunchTemplateVersion",
"ec2:CreateNatGateway",
"ec2:CreateRoute",
"ec2:CreateRouteTable",
"ec2:CreateSecurityGroup",
"ec2:CreateSubnet",
"ec2:CreateTags",
"ec2:CreateVpc",
"ec2:DescribeAddresses",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeInternetGateways",
"ec2:DescribeLaunchTemplateVersions",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeNatGateways",
"ec2:DescribeNetworkAcls",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroupReferences",
"ec2:DescribeSecurityGroupRules",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeTags",
"ec2:DescribeVpcAttribute",
"ec2:DescribeVpcClassicLink",
"ec2:DescribeVpcClassicLinkDnsSupport",
"ec2:DescribeVpcs",
"ec2:ModifyLaunchTemplate",
"ec2:ModifySubnetAttribute",
"ec2:ModifyVpcAttribute",
"ec2:RevokeSecurityGroupEgress",
"ec2:RunInstances",
"ecr:CreateRepository",
"ecr:DescribeRepositories",
"ecr:ListTagsForResource",
"ecr:TagResource",
"iam:AttachRolePolicy",
"iam:CreateOpenIDConnectProvider",
"iam:CreatePolicy",
"iam:CreatePolicyVersion",
"iam:CreateRole",
"iam:CreateServiceLinkedRole",
"iam:GetOpenIDConnectProvider",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:ListRolePolicies",
"iam:PassRole",
"iam:PutRolePolicy",
"iam:TagOpenIDConnectProvider",
"iam:TagPolicy",
"iam:TagRole",
"iam:UpdateAssumeRolePolicy",
"kms:CreateAlias",
"kms:CreateGrant",
"kms:CreateKey",
"kms:DescribeKey",
"kms:GetKeyPolicy",
"kms:GetKeyRotationStatus",
"kms:ListAliases",
"kms:ListResourceTags",
"kms:PutKeyPolicy",
"kms:TagResource",
"logs:CreateLogGroup",
"logs:DescribeLogGroups",
"logs:ListTagsLogGroup",
"logs:PutRetentionPolicy",
"logs:TagLogGroup",
"logs:TagResource",
"route53:ChangeResourceRecordSets",
"route53:ChangeTagsForResource",
"route53:CreateHostedZone",
"route53:GetChange",
"route53:GetHostedZone",
"route53:ListResourceRecordSets",
"route53:ListTagsForResource",
"s3:GetObject",
"s3:ListBucket",
"s3:PutObject"
]
}
]
}
- Below the editor, click the orange “Next” button.
- Name the policy
StreamkapProvisionAccess, and click “Create policy” at the bottom.
2. Create the Deprovision Policy
- In the AWS console, navigate to the IAM control panel.
Navigate to “Policies”.
Click the orange “Create Policy” policy button
Look for the “Policy editor” component group, where “visual” will be selected. Select “JSON”.
Replace the entire policy contents JSON with the following
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Resource": "*",
"Action": [
"ec2:DeleteNetworkAclEntry",
"eks:DeleteAddon",
"eks:DeleteCluster",
"eks:DescribeCluster",
"eks:DeleteNodegroup",
"eks:DescribeNodegroup",
"ec2:DeleteInternetGateway",
"ec2:DeleteLaunchTemplate",
"ec2:DeleteLaunchTemplateVersions",
"ec2:DeleteNatGateway",
"ec2:DeleteNetworkInterface",
"ec2:DeleteRoute",
"ec2:DeleteRouteTable",
"ec2:DeleteSecurityGroup",
"ec2:DeleteSubnet",
"ec2:DeleteTags",
"ec2:DeleteVpc",
"ec2:DescribeAddresses",
"ec2:DescribeInternetGateways",
"ec2:DescribeLaunchTemplateVersions",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeNatGateways",
"ec2:DescribeNetworkAcls",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroupRules",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeTags",
"ec2:DescribeVpcAttribute",
"ec2:DescribeVpcClassicLink",
"ec2:DescribeVpcClassicLinkDnsSupport",
"ec2:DescribeVpcs",
"ec2:DetachInternetGateway",
"ec2:DetachNetworkInterface",
"ec2:DisassociateAddress",
"ec2:DisassociateRouteTable",
"ec2:ReleaseAddress",
"ec2:RevokeSecurityGroupIngress",
"ecr:DeleteRepository",
"ecr:DescribeRepositories",
"ecr:ListTagsForResource",
"iam:DeleteOpenIDConnectProvider",
"iam:DeletePolicy",
"iam:DeletePolicyVersion",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy",
"iam:GetOpenIDConnectProvider",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:ListInstanceProfilesForRole",
"iam:ListPolicyVersions",
"iam:ListRolePolicies",
"kms:DeleteAlias",
"kms:DescribeKey",
"kms:GetKeyPolicy",
"kms:GetKeyRotationStatus",
"kms:ListAliases",
"kms:ListResourceTags",
"kms:RetireGrant",
"kms:ScheduleKeyDeletion",
"logs:DeleteLogGroup",
"logs:DescribeLogGroups",
"logs:ListTagsLogGroup",
"route53:ChangeTagsForResource",
"route53:DeleteHostedZone",
"route53:GetDNSSEC",
"route53:GetHostedZone",
"route53:ListResourceRecordSets",
"route53:ListTagsForResource",
"s3:GetObject",
"s3:ListBucket"
]
}
]
}
- Below the editor, click the orange “Next” button.
- Name the policy
StreamkapDeprovisionAccess, and click “Create policy” at the bottom.
3. Create the Access Role
- Return to the IAM dashboard and navigate to “Roles”
- Click the orange “Create role” button.
- Under “trusted entity type”, select “Custom trust policy”
- This will reveal a JSON editor field with the heading “Custom trust policy”.
- Replace the entire trust policy contents with the following.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws-us-gov:iam::158220502525:role/installer-delegation"
},
"Action": "sts:AssumeRole"
}
]
}
- Click “Next” at the bottom of the page.
- Search for the
StreamkapProvisionAccessandStreamkapDeprovisionAccesspolicies and check the boxes.
- Click “Next”
- Name the role
StreamkapInstallAccess(or another name of your choice). The page should look like this:
- Click “Create role”
- On the role page, locate the ARN field and make note of the value. It should take the form
arn:aws:iam::{some number}:role/StreamkapInstallAccess.
- Copy the role ARN from earlier.
Updated about 12 hours ago