Set up IAM permissions - AWS Fault Injection Simulator

Set up IAM permissions

AWS Identity and Access Management (IAM) is an AWS service that helps an administrator securely control access to AWS resources. IAM administrators control who can be authenticated (signed in) and authorized (have permissions) to use AWS FIS resources. IAM is an AWS service that you can use with no additional charge.

To use AWS FIS, set up the following permissions.

  • Permissions for the IAM users and roles that will work with AWS FIS

  • Permissions for AWS FIS that allow it to run experiments on your behalf

Step 1: Set up permissions for IAM users and roles

By default, IAM users do not have permission to work with AWS FIS. You can use IAM identity-based policies to specify allowed or denied actions and resources as well as the conditions under which actions are allowed or denied.

The following example policy grants the user full access to the AWS FIS console and API actions.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "FISPermissions", "Effect": "Allow", "Action": [ "fis:*" ], "Resource": "*" }, { "Sid": "ReadOnlyActions", "Effect": "Allow", "Action": [ "ssm:Describe*", "ssm:Get*", "ssm:List*", "ec2:DescribeInstances", "rds:DescribeDBClusters", "ecs:DescribeClusters", "ecs:ListContainerInstances", "eks:DescribeNodegroup", "cloudwatch:DescribeAlarms", "iam:ListRoles" ], "Resource": "*" }, { "Sid": "IAMPassRolePermissions", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "arn:aws:iam::111122223333:role/roleName" }, { "Sid": "PermissionsToCreateServiceLinkedRole", "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "*", "Condition": { "StringEquals": { "iam:AWSServiceName": "fis.amazonaws.com" } } } ] }

You can modify the preceding policy to restrict permissions to specific API operations. For more policy examples, see AWS Fault Injection Simulator policy examples. For more information about identity-based policies, see Identity and access management for AWS Fault Injection Simulator.

Step 2: Set up the IAM role for the AWS FIS service

When you create an experiment template, you must specify an IAM role that grants the AWS FIS service permission to perform actions on your behalf. The IAM policy for the IAM role must grant permission to modify the resources that you specify as targets in your experiment template.

The following policy contains the API actions that are needed by AWS FIS to conduct experiments on supported AWS FIS resources. As a best practice, we recommend following the standard security advice of granting least privilege. You can do so by specifying specific resource ARNs or tags in your policy.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowFISExperimentRoleReadOnly", "Effect": "Allow", "Action": [ "ec2:DescribeInstances", "ecs:DescribeClusters", "ecs:ListContainerInstances", "eks:DescribeNodegroup", "iam:ListRoles", "rds:DescribeDBInstances", "rds:DescribeDbClusters", "ssm:ListCommands" ], "Resource": "*" }, { "Sid": "AllowFISExperimentRoleEC2Actions", "Effect": "Allow", "Action": [ "ec2:RebootInstances", "ec2:StopInstances", "ec2:StartInstances", "ec2:TerminateInstances" ], "Resource": "arn:aws:ec2:*:*:instance/*" }, { "Sid": "AllowFISExperimentRoleECSActions", "Effect": "Allow", "Action": [ "ecs:UpdateContainerInstancesState", "ecs:ListContainerInstances" ], "Resource": "arn:aws:ecs:*:*:container-instance/*" }, { "Sid": "AllowFISExperimentRoleEKSActions", "Effect": "Allow", "Action": [ "ec2:TerminateInstances" ], "Resource": "arn:aws:ec2:*:*:instance/*" }, { "Sid": "AllowFISExperimentRoleFISActions", "Effect": "Allow", "Action": [ "fis:InjectApiInternalError", "fis:InjectApiThrottleError", "fis:InjectApiUnavailableError" ], "Resource": "arn:*:fis:*:*:experiment/*" }, { "Sid": "AllowFISExperimentRoleRDSReboot", "Effect": "Allow", "Action": [ "rds:RebootDBInstance" ], "Resource": "arn:aws:rds:*:*:db:*" }, { "Sid": "AllowFISExperimentRoleRDSFailOver", "Effect": "Allow", "Action": [ "rds:FailoverDBCluster" ], "Resource": "arn:aws:rds:*:*:cluster:*" }, { "Sid": "AllowFISExperimentRoleSSMSendCommand", "Effect": "Allow", "Action": [ "ssm:SendCommand" ], "Resource": [ "arn:aws:ec2:*:*:instance/*", "arn:aws:ssm:*:*:document/*" ] }, { "Sid": "AllowFISExperimentRoleSSMCancelCommand", "Effect": "Allow", "Action": [ "ssm:CancelCommand" ], "Resource": "*" } ] }

In addition, the IAM role must have a trust relationship that allows the AWS FIS service to assume the role.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "fis.amazonaws.com" ] }, "Action": "sts:AssumeRole", "Condition": {} } ] }

Service-linked roles in AWS FIS

When you start an experiment from an experiment template, AWS FIS creates a service-linked role for you that grants permission to list or describe the resources that you specify as targets in your experiment template. Therefore, the IAM role that grants AWS FIS permission to perform actions on your behalf must have a policy that grants the following:

  • Permission to start the experiment

  • Permission to create a service-linked role on your behalf

For information about service-linked roles in AWS FIS, see Use service-linked roles for AWS Fault Injection Simulator. For information about creating an IAM role for an AWS service, see Creating a role to delegate permissions to an AWS service in the IAM User Guide.