AWS Role Permissions¶
This page provides a comprehensive overview of the AWS role permissions required to integrate your account with Epsio.
Epsio's unique deployment model involves creating instances that reside in your cloud account, which Epsio manages.
This provides the benefits of a managed service while ensuring that sensitive data never leaves your environment and Epsio does not have access to your data.
Permissions¶
When integrating with AWS, Epsio is granted permissions to create and manage its deployment in your account.
Epsio's role has the ability to create resources, such as EC2 instances and security groups, in the selected VPC and subnet, and to manage or edit only resources that were created by Epsio and have the Epsio tag (Owner=Epsio).
| Role | Permission |
|---|---|
| Launch | Limited to selected VPC & Subnet ec2:RunInstances ec2:CreateTags ec2:CreateSecurityGroup |
| Instance Management | ** Limited to Epsio resources (where Owner=Epsio):** ec2:RebootInstancesec2:StopInstancesec2:TerminateInstances ec2:StartInstances ec2:AttachVolumeec2:DetachVolumeec2:AssociateIamInstanceProfile ec2:DisassociateIamInstanceProfile ec2:GetConsoleScreenshot ec2:ReplaceIamInstanceProfileAssociation |
| Security Group management | ** Limited to Epsio resources (where Owner=Epsio):** ec2:AuthorizeSecurityGroupIngressec2:RevokeSecurityGroupIngress ec2:AuthorizeSecurityGroupEgress ec2:RevokeSecurityGroupEgress ec2:ModifySecurityGroupRulesec2:UpdateSecurityGroupRuleDescriptionsIngress ec2:UpdateSecurityGroupRuleDescriptionsEgress |
| Monitoring | ec2:DescribeSubnets ec2:DescribeVolumes ec2:DescribeSecurityGroupsec2:DescribeInstances ec2:DescribeInstanceStatus ec2:DescribeVpcs |
| Termination | ** Limited to Epsio resources (based on Epsio's resource names)** cloudformation:DeleteStackiam:DeleteRole iam:DeleteRolePolicy iam:DeleteFunction lambda:InvokeFunction |