/
02. Add IAM Policy for DynamoDB Scan Permission

02. Add IAM Policy for DynamoDB Scan Permission

Conclusion (Example of required IAM Policy)

Policy 1 (Recommendation)

{
    "Version": "2012-10-17",
 “Statement”: [
 {
            "Sid": "AllowDecryptWithAlias",
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt"
 ],
            "Resource": [
                "*"
 ],
            "Condition": {
                "ForAnyValue:StringLike": {
                    "kms:ResourceAliases": "*instance-scheduler-encryption-key*"
                }
 }
 }
 ]
}

Policy 2

{
    "Version": "2012-10-17",
 “Statement”: [
 {
            "Sid": "InstanceSchedulerKMSDecrytionPolicy",
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt"
 ],
            "Resource": [
 “{KMS ARN used when configuring AWS Instance Scheduler}”
 ]
 }
 ]
}

 

Why additional permissions are required for the existing registered CloudXper IAM user permissions to use the Power Scheduler management function?

The CXP PowerScheduler management feature provides management capabilities for schedulers implemented with AWS's CloudFormation-based Instance Scheduler Template.

Additionally, the CXP Power Scheduler management feature The values stored in the Instance Scheduler related tables in DynamoDB Use it to manage power schedule related settings (power schedule tag/power scheduled period).

Therefore, to retrieve the power scheduling related settings, KMS for DynamoDB used in Instance Scheduler (automatically created when creating Instance Scheduler) KMS Decrypt (Decryption permission) is additionally required.

 

For users who will use Policy 1 among the policies presented above, please proceed from '2. Create IAM Policy required for DynamoDB Scan' in the setup sequence below. Thank you for your attention.

1. Check KMS and DynamoDB information in CloudFormation that created Instance-Scheduler

→ Access the AWS Console, go to CloudFormation > “Stack” menu, and select the CloudFormation stack that created AWS InstanceScheduler.

image-20240726-134735.png

→ Select the “Resources” tab and then select the “Flat View” button.

image-20240726-134819.png

 

→ Enter Table in the search field and select ConfigTable / Check the physical ID value of StateTable / MaintenanceWindowTable and click the shortcut button to move to the corresponding resource.

image-20240726-134846.png

→ After moving to the resource, select the “Additional Settings” tab, check the Key ID section in the Encryption section, and save it separately.

 

Normally, the KMS key IDs used in all three tables are the same, but if they are different, make a note of all three key IDs.

 

Required deliverables from the staff

  • KMS ARN used when configuring AWS Instance Scheduler

  • example : arn:aws:kms:ap-northeast-1:789493429548:key/15910e03-4e38-4f6e-a5b8-0f963c1e88c5

 

 

2. Create IAM Policy required for DynamoDB Scan

image-20240726-134925.png

→ Go to IAM > Policy tab and select “Create Policy”

image-20240726-134955.png

→ After changing the editing method to “JSON” JSON format belowclass Refer to the image aboveAfter editing the policy, select the "Next" button.

 

Policy content can be set in two ways.

Policy 1 is a method of granting permission to KMS used by all schedulers in the account (regardless of region).

Policy 2 is a way to grant permission to KMS used by a specific scheduler.

Therefore, we recommend that you proceed with method 1, which grants KMS permission to the Power Scheduler in all regions.

 

Policy 1 (Recommendation)

{
    "Version": "2012-10-17",
 “Statement”: [
 {
            "Sid": "AllowDecryptWithAlias",
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt"
 ],
            "Resource": [
                "*"
 ],
            "Condition": {
                "ForAnyValue:StringLike": {
                    "kms:ResourceAliases": "*instance-scheduler-encryption-key*"
                }
 }
 }
 ]
}

Policy 2 (Recommended to fill in the details as 1)

{
    "Version": "2012-10-17",
 “Statement”: [
 {
            "Sid": "InstanceSchedulerKMSDecrytionPolicy",
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt"
 ],
            "Resource": [
 “{KMS ARN used when configuring AWS Instance Scheduler}”
 ]
 }
 ]
}

 

image-20240726-135116.png

→ Enter a policy name that can identify the purpose (e.g. InstanceSchedulerKMSDecrytionPolicy) and select "Create Policy"

 

 

 

3. Add a policy to the IAM account that holds the access and secret keys registered in CloudXper.

image-20240726-135147.png

→ In the IAM > User tab, search for and select an account registered to CloudXper.

 

image-20240726-135216.png

→ Select “Add Permissions”

image-20240726-135248.png

→ After selecting "Direct Policy Connection", search for the policy created in step 2., select the checkbox on the left, and then select the "Next" button.

→ Select “Add Permissions” on the screen that appears afterwards.

image-20240726-135323.png

→ Check the added policy details