Create an IAM role for AWS FIS - AWS Fault Injection Simulator

Create an IAM role for AWS FIS

AWS Identity and Access Management (IAM) is an AWS service that helps an administrator securely control access to AWS resources. To use AWS FIS, you must create an IAM role that grants AWS FIS the permissions required so that AWS FIS can run experiments on your behalf. You specify this IAM role when you create an experiment template. The IAM policy for the IAM role must grant permission to modify the resources that you specify as targets in your experiment template.

As a best practice, we recommend that you follow the standard security practice of granting least privilege. You can do so by specifying specific resource ARNs or tags in your policies.

Required trust relationship

The IAM role must have a trust relationship that allows the AWS FIS service to assume the role.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "fis.amazonaws.com" ] }, "Action": "sts:AssumeRole" } ] }

We recommend that you use the aws:SourceAccount and aws:SourceArn condition keys to protect yourself against the confused deputy problem. The source account is the owner of the experiment and the source ARN is the ARN of the experiment. For example, you could add the following condition block to the trust policy.

"Condition": { "StringEquals": { "aws:SourceAccount": "account_id" }, "ArnLike": { "aws:SourceArn": "arn:aws:fis:region:account_id:experiment/*" } }

Example: Permissions for CloudWatch actions

The following policy grants AWS FIS permission to use the AWS FIS actions for Amazon CloudWatch

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowFISExperimentRoleCloudWatchActions", "Effect": "Allow", "Action": [ "cloudwatch:DescribeAlarms" ], "Resource": "*" } ] }

Example: Permissions for Amazon EC2 actions

The following policy grants AWS FIS permission to use the AWS FIS actions for Amazon EC2.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowFISExperimentRoleEC2ReadOnly", "Effect": "Allow", "Action": [ "ec2:DescribeInstances" ], "Resource": "*" }, { "Sid": "AllowFISExperimentRoleEC2Actions", "Effect": "Allow", "Action": [ "ec2:RebootInstances", "ec2:StopInstances", "ec2:StartInstances", "ec2:TerminateInstances" ], "Resource": "arn:aws:ec2:*:*:instance/*" }, { "Sid": "AllowFISExperimentRoleSpotInstanceActions", "Effect": "Allow", "Action": [ "ec2:SendSpotInstanceInterruptions" ], "Resource": "arn:aws:ec2:*:*:instance/*" } ] }

Example: Permissions for Amazon ECS actions

The following policy grants AWS FIS permission to use the AWS FIS actions for Amazon ECS.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowFISExperimentRoleECSReadOnly", "Effect": "Allow", "Action": [ "ecs:DescribeClusters", "ecs:ListContainerInstances" ], "Resource": "*" }, { "Sid": "AllowFISExperimentRoleECSUpdateState", "Effect": "Allow", "Action": [ "ecs:UpdateContainerInstancesState" ], "Resource": "arn:aws:ecs:*:*:container-instance/*" } ] }

Example: Permissions for Amazon EKS actions

The following policy grants AWS FIS permission to use the AWS FIS actions for Amazon EKS.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowFISExperimentRoleEKSReadOnly", "Effect": "Allow", "Action": [ "ec2:DescribeInstances", "eks:DescribeNodegroup" ], "Resource": "*" }, { "Sid": "AllowFISExperimentRoleEKSActions", "Effect": "Allow", "Action": [ "ec2:TerminateInstances" ], "Resource": "arn:aws:ec2:*:*:instance/*" } ] }

Example: Permissions for Amazon RDS actions

The following policy grants AWS FIS permission to use the AWS FIS actions for Amazon RDS.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowFISExperimentRoleRDSReadOnly", "Effect": "Allow", "Action": [ "rds:DescribeDBInstances", "rds:DescribeDbClusters" ], "Resource": "*" }, { "Sid": "AllowFISExperimentRoleRDSReboot", "Effect": "Allow", "Action": [ "rds:RebootDBInstance" ], "Resource": "arn:aws:rds:*:*:db:*" }, { "Sid": "AllowFISExperimentRoleRDSFailOver", "Effect": "Allow", "Action": [ "rds:FailoverDBCluster" ], "Resource": "arn:aws:rds:*:*:cluster:*" } ] }

Example: Permissions for Systems Manager actions

The following policy grants AWS FIS permission to use the AWS FIS actions for Systems Manager.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowFISExperimentRoleSSMReadOnly", "Effect": "Allow", "Action": [ "ec2:DescribeInstances", "ssm:GetAutomationExecution", "ssm:ListCommands" ], "Resource": "*" }, { "Sid": "AllowFISExperimentRoleSSMSendCommand", "Effect": "Allow", "Action": [ "ssm:SendCommand" ], "Resource": [ "arn:aws:ec2:*:*:instance/*", "arn:aws:ssm:*:*:document/*" ] }, { "Sid": "AllowFISExperimentRoleSSMCancelCommand", "Effect": "Allow", "Action": [ "ssm:CancelCommand" ], "Resource": "*" }, { "Sid": "AllowFISExperimentRoleSSMAutomation", "Effect": "Allow", "Action": [ "ssm:StartAutomationExecution", "ssm:StopAutomationExecution" ], "Resource": "*" }, { "Sid": "AllowFISExperimentRoleSSMAutomationPassRole", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "arn:aws:iam::123456789012:role/my-automation-role" } ] }

Example: Permissions for fault injection actions

The following policy grants AWS FIS permission to use the AWS FIS actions for fault injection.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowFISExperimentRoleFaultInjectionReadOnly", "Effect": "Allow", "Action": [ "iam:ListRoles" ], "Resource": "*" }, { "Sid": "AllowFISExperimentRoleFaultInjectionActions", "Effect": "Allow", "Action": [ "fis:InjectApiInternalError", "fis:InjectApiThrottleError", "fis:InjectApiUnavailableError" ], "Resource": "arn:*:fis:*:*:experiment/*" } ] }