The former Porticor support site is now frozen. Please refer to our Intuit page.

Amazon IAM Policy with Porticor

Porticor's solution fully supports Amazon's Identity and Access Management (AWS IAM) facility. A user may enter his or her personal credentials, instead of the AWS account's global credentials. Of course, we also support using the account credentials. And all this is fully integrated with our Key Management solution.

Porticor requires IAM privileges for a wide range of activities, such as:

  • Launching the appliance from the New Project wizard.
  • Launching additional appliancesin the same project.
  • Manipulating security groups.
  • Working with EBS disks.
  • Accessing S3 objects.

We request your Amazon credentials in several locations. Below are the exact privileges that must be associated with these credentials.

The simple way

Create a new AMI user, assign the user a Power User policy, generate access keys for the user and providce them to Porticor.

If you prefer the credentials to have lower privileges (the least privilege principle), read on.

Launching a Virtual Appliance using the Quick Launch Wizard

These credentials are used only once, when setting up the appliance and launching it. After the appliance is ready, they are forgotten.

The required policy is:

  • Allow any EC2 operations.
    {
       "Statement": [{
          "Effect": "Allow",
          "Action": "ec2:*",
          "Resource": "*"
        }
       ]
    }

Per-project AWS Credentials

These credentials are requested when you create an appliance in a new project. The credentials are stored in encrypted form, protected by your master secret. If needed, you may re-enter these credentials from the Protected File Systems, Distributed Storage and Virtual Appliances pages.

The required policy for these credentials is:

  • Allow any EC2, SQS, CloudTrail and S3 operations.
  {
    "Statement": [
     {
      "Effect": "Allow",
      "Action": "ec2:*",
      "Resource": "*"
     }
     {
      "Effect": "Allow",
      "Action": "sqs:*",
      "Resource": "*"
     }
     {
      "Effect": "Allow",
      "Action": "s3:*",
      "Resource": "*"
     }
     {
      "Effect": "Allow",
      "Action": "cloudtrail:*",
      "Resource": "*"
     }
   ]
  }

S3-Only Credentials

When you define credentials in the Access Keys table of the Distributed Storage page, these credentials will be used for S3 operations only. The appropriate policy is therefore:

  • Allow any S3 operations.
{
   "Statement": [{
      "Effect": "Allow",
      "Action": "s3:*",
      "Resource": "*"
    }
   ]
}

More Restricted EC2 Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1436712073000",
            "Effect": "Allow",
            "Action": [
                "ec2:AllocateAddress",
                "ec2:AssignPrivateIpAddresses",
                "ec2:AssociateAddress",
                "ec2:AttachVolume",
                "ec2:CreateSecurityGroup",
                "ec2:CreateTags",
                "ec2:CreateVolume",
                "ec2:DeleteSecurityGroup",
                "ec2:DeleteTags",
                "ec2:DeleteVolume",
                "ec2:Describe*",
                "ec2:DetachVolume",
                "ec2:DisassociateAddress",
                "ec2:EnableVolumeIO",
                "ec2:ImportVolume",
                "ec2:ModifyInstanceAttribute",
                "ec2:ModifyVolumeAttribute",
                "ec2:RebootInstances",
                "ec2:ResetInstanceAttribute",
                "ec2:RunInstances",
                "ec2:StartInstances",
                "ec2:StopInstances",
                "ec2:TerminateInstances"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}