IAM roles for AWS FIS experiments
AWS Identity and Access Management (IAM) is an AWS service that helps an administrator securely control access to AWS resources. To use AWS FIS, you must create an IAM role that grants AWS FIS the permissions required so that AWS FIS can run experiments on your behalf. You specify this experiment role when you create an experiment template. The IAM policy for the experiment role must grant permission to modify the resources that you specify as targets in your experiment template.
We recommend that you follow the standard security practice of granting least privilege. You can do so by specifying specific resource ARNs or tags in your policies.
To help you get started with AWS FIS quickly, we provide AWS managed policies that you can specify when you create an experiment role. Alternatively, you can also use these policies as a model as you create your own inline policy documents.
Contents
Prerequisites
Before you begin, install the AWS CLI and create the required trust policy.
- Install the AWS CLI
-
Before you begin, install and configure the AWS CLI. When you configure the AWS CLI, you are prompted for AWS credentials. The examples in this procedure assume that you also configured a default Region. Otherwise, add the
--regionoption to each command. For more information, see Installing or updating the AWS CLI and Configuring the AWS CLI. - Create a trust relationship policy
-
An experiment role must have a trust relationship that allows the AWS FIS service to assume the role. Create a text file named
fis-role-trust-policy.jsonand add the following trust relationship policy.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "fis.amazonaws.com" ] }, "Action": "sts:AssumeRole" } ] }We recommend that you use the
aws:SourceAccountandaws:SourceArncondition keys to protect yourself against the confused deputy problem. The source account is the owner of the experiment and the source ARN is the ARN of the experiment. For example, you could add the following condition block to your trust policy."Condition": { "StringEquals": { "aws:SourceAccount": "account_id" }, "ArnLike": { "aws:SourceArn": "arn:aws:fis:region:account_id:experiment/*" } }
Option 1: Create an experiment role and attach an AWS managed policy
Use one of the AWS managed policies from AWS FIS to get started quickly.
To create an experiment role and attach an AWS managed policy
-
Verify that there is a managed policy for the AWS FIS actions in your experiment. Otherwise, you'll need to create your own inline policy document instead. For more information, see AWS managed policies for AWS Fault Injection Simulator.
-
Use the following create-role command to create a role and add the trust policy that you created in the prerequisites.
aws iam create-role --role-namemy-fis-role--assume-role-policy-document file://fis-role-trust-policy.json -
Use the following attach-role-policy command to attach the AWS managed policy.
aws iam attach-role-policy --role-namemy-fis-role--policy-arnfis-policy-arnWhere
fis-policy-arnis one of the following:-
arn:aws:iam::aws:policy/service-role/AWSFaultInjectionSimulatorEC2Access
-
arn:aws:iam::aws:policy/service-role/AWSFaultInjectionSimulatorECSAccess
-
arn:aws:iam::aws:policy/service-role/AWSFaultInjectionSimulatorEKSAccess
-
arn:aws:iam::aws:policy/service-role/AWSFaultInjectionSimulatorNetworkAccess
-
arn:aws:iam::aws:policy/service-role/AWSFaultInjectionSimulatorRDSAccess
-
arn:aws:iam::aws:policy/service-role/AWSFaultInjectionSimulatorSSMAccess
-
Option 2: Create an experiment role and add an inline policy document
Use this option for actions that don't have a managed policy, or to include only the permissions that are required for your specific experiment.
To create an experiment and add an inline policy document
-
Use the following create-role command to create a role and add the trust policy that you created in the prerequisites.
aws iam create-role --role-namemy-fis-role--assume-role-policy-document file://fis-role-trust-policy.json -
Create a text file named
fis-role-permissions-policy.jsonand add a permissions policy. For an example that you can use as a starting point, see the following.-
Fault injection actions – Start from the following policy.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowFISExperimentRoleFaultInjectionActions", "Effect": "Allow", "Action": [ "fis:InjectApiInternalError", "fis:InjectApiThrottleError", "fis:InjectApiUnavailableError" ], "Resource": "arn:*:fis:*:*:experiment/*" } ] } -
Amazon EBS actions – Start from the following policy.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeVolumes" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:PauseVolumeIO" ], "Resource": "arn:aws:ec2:*:*:volume/*" } ] } -
Amazon EC2 actions – Start from the AWSFaultInjectionSimulatorEC2Access policy.
-
Amazon ECS actions – Start from the AWSFaultInjectionSimulatorECSAccess policy.
-
Amazon EKS actions – Start from the AWSFaultInjectionSimulatorEKSAccess policy.
-
Network actions – Start from the AWSFaultInjectionSimulatorNetworkAccess policy.
-
Amazon RDS actions – Start from the AWSFaultInjectionSimulatorRDSAccess policy.
-
Systems Manager actions – Start from the AWSFaultInjectionSimulatorSSMAccess policy.
-
-
Use the following put-role-policy command to add the permissions policy that you created in the previous step.
aws iam put-role-policy --role-namemy-fis-role--policy-namemy-fis-policy--policy-document file://fis-role-permissions-policy.json
