Skip to content

AWS Configuration

The following page outlines how to enable AWS features through the AWS management console on CAS Manager. The first step is to create a policy that can be attached to a service account. This service account will allow CAS Manager to manage resources within the provided AWS account.

Roles and Permissions for AWS

Prior to creating and assigning a permissions policy, you need to ensure that it contains the following permissions:

  • Service: EC2
  • Actions:
    • List: DescribeInstances
    • Write: RebootInstances StartInstances StopInstances TerminateInstances

There are additional permissions needed to verify that the policy has all the required permissions before being added to a deployment:

  • Service: IAM
  • Actions:
    • List: ListAttachedUserPolicies ListUserPolicies
    • Read: GetUser GetUserPolicy GetPolicy GetPolicyVersion SimulatePrincipalPolicy

If the user tries to add an AWS policy that doesn't have these permissions, CAS Manager will still add the policy but will not validate that it has the required permissions.

Please note the permissions required for AWS configuration with CAS Manager as a Service are different to the permissions required for CAS Manager. See AWS Permissions Policies for CAS Manager as a Service for information on these permissions. Currently, the permissions required for Azure and GCP configuration are the same between CAS Manager and CAS Manager as a Service.

Create a CAS Manager Policy in AWS

The following steps outline how to create the required AWS policy that you can attach to a AWS User to manage AWS resources:

  1. Go to the IAM Management page in the AWS management console.
  2. From the sidebar, click Policies.
  3. Click Create policy.
  4. For Service click EC2 from the list of services.
  5. Under Access level expand the List section and select DescribeInstances.
  6. Under Access level expand the Write section and select the following permissions:
    • RebootInstances
    • StartInstances
    • StopInstances
    • TerminateInstances
  7. For Service click IAM from the list of services.
  8. Under Access level expand the Read section and select the following permissions:
    • GetUser
    • SimulatePrincipalPolicy
  9. For Resources click All resources.
  10. Leave Request conditions blank and click Review policy.
  11. Give the newly created policy a name and click Create policy.

Create CAS Manager Service Account for AWS

This service account will have the ability to perform required actions in AWS. This will let the service account manage resources that the user has access to.

The following steps outline how to create the CAM service account:

  1. Go to the IAM Management page in the AWS management console.
  2. From the sidebar, click Users.
  3. Click Add user.
  4. Give the user a name and select Programmatic access as the Access type.
  5. Click Next: Permissions.
  6. Click Attach existing policies directly and search for the policy you created above that has EC2 permissions and select it. Optionally, you can add a tag to this role.
  7. Click Next:Review.
  8. Click Create user
  9. Copy the User name, Access key ID and Secret access key credentials and save them to a secure location.

Add the AWS Service Account to a CAS Manager Deployment

The next step requires you to add the AWS service account you have created from the previous steps in the AWS management console to CAS Manager. This service account will have the CAM policy created in the previous step.

The following steps outline how to add the information to CAS Manager:

  1. Log in to CAS Manager.
  2. Select the CAS Manager deployment ou want to add the AWS service account to.
  3. Click Edit Deployment.
  4. Click the Cloud service accounts tab and open the AWS container.
  5. Enter the User name, Access key ID and Secret access key values that you saved previously in the AWS form.
  6. Click Submit.

CAS Manager will have be able to manage AWS machines that get added to this deployment.