Baseline permissions
This section provides instructions on how to set up the baseline AWS users and permissions for the AWS Service Management Connector for Jira Service Management.
Available template for baseline permissions
To use an AWS CloudFormation template to set up the AWS configurations of
the Connector for Jira Service Management, see the AWS configurations
for Connector for Jira Service Management - AWS Commercial
Regions
Note
If you use the Connector for Jira Service Management AWS Configuration template, go to Configuring AWS Service Catalog.
For each AWS account, the Connector for Jira Service Management requires two sets of an access key identifier and a secret key for API access. These correspond to users in AWS Identity and Access Management (IAM). Specifically, you should set up:
-
An IAM user to sync AWS resources and to sync and manage AWS Support cases through Jira Service Management.
-
An IAM user able to perform end user functionality to provision and execute requests exposed through Jira Service Management, including any roles required to perform the provisioning and execution. We recommend launch roles for Service Catalog to comply with IAM best practices.
These can be the same user and can be an existing user. We recommend you assign two new users for Connector.
Note
To align with best practices, AWS recommends periodically rotating IAM user access keys. For more information, refer to Manage IAM user access keys properly.
Creating AWS Service Management Connector Sync User
The following section describes how to create the AWS Connector sync user and associate the appropriate IAM permissions. To perform this task, you need IAM permissions to create new users.
To create AWS Service Management Connector sync user
-
Follow the instructions in Creating IAM Policies to create the policy, SSMOpsItemActionPolicy. This policy enables Jira administrators to create and manage AWS Systems Manager OpsItems.
Copy this policy and paste it into Policy Document:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssm:CreateOpsItem", "ssm:GetOpsItem", "ssm:UpdateOpsItem", "ssm:DescribeOpsItems", "ssm:CreateOpsItem" ], "Resource": "*" } ] } -
Follow the instructions in Creating IAM policies and create the policy, ConfigBidirectionalSecurityHubSQSBaseline.
Copy this policy and paste it in the JSON editor.
{ "Version":"2012-10-17", "Statement":[ { "Sid":"VisualEditor0", "Effect":"Allow", "Action":[ "cloudformation:RegisterType", "cloudformation:DescribeTypeRegistration", "cloudformation:DeregisterType", "sqs:ReceiveMessage", "sqs:DeleteMessage", "securityhub:BatchUpdateFindings" ], "Resource":"*" } ] } -
Follow the instructions in Creating IAM policies to create the policy, AWSIncidentBaselinePolicy.
Copy this policy and paste it in the JSON editor.
{ "Version": "2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "ssm-incidents:ListIncidentRecords", "ssm-incidents:GetIncidentRecord", "ssm-incidents:UpdateRelatedItems", "ssm-incidents:ListTimelineEvents", "ssm-incidents:GetTimelineEvent", "ssm-incidents:UpdateIncidentRecord", "ssm-incidents:ListRelatedItems", "ssm:ListOpsItemRelatedItems" ], "Resource":"*" } ] } -
Follow the instructions in Creating an IAM User in your AWS Account to create a sync user (SCSyncUser). The user needs programmatic access and AWS Management Console access to follow the Connector for Jira Service Management installation instructions.
Set permissions for your sync user (SCSyncUser). Choose Attach the following policies directly and select AWSServiceCatalogAdminReadOnlyAccess, AmazonSSMReadOnlyAccess, SSMOpsItemActionPolicy, AWSSupportAccess, AWSIncidentBaselinePolicy, and ConfigBidirectionalSecurityHubSQSBaseline.
-
Add a policy that allows budgets:ViewBudget on all resources (*).
-
Review and choose Create User.
-
Note the access and secret access information. Download the .csv file that contains the user credential information.
Creating AWS Service Management Connector End User
The following section describes how to create the AWS Service Management Connector end user and associate the appropriate IAM permissions. To perform this task, you need IAM permissions to create new users.
To create AWS Service Management Connector end user
-
Follow the instructions in Creating an IAM user in your AWS Account to create a user (such as SCEndUser). The user needs programmatic and AWS Management Console access to follow the Connector for Jira Service Management installation instructions.
-
For products with AWS CloudFormation StackSets, you need to create a stack set inline policy. With AWS CloudFormation StackSets, you can create products to deploy across multiple accounts and Regions.
Using an administrator account, you define and manage a Service Catalog product and use it as the basis for provisioning stacks into selected target accounts across specified Regions. You need to have the necessary permissions defined in your AWS accounts.
To set up the necessary permissions, follow the instructions in Granting Permissions for Stack Set Operations to create an AWSCloudFormationStackSetAdministrationRole and an AWSCloudFormationStackSetExecutionRole.
-
Create the stack set inline policy to enable the provisioning of a product across multiple Regions in one account, replacing the
arnnumber string with your account number.{ "Version": "2012-10-17", "Statement": [ { "Action": [ "sts:AssumeRole" ], "Resource": [ "arn:aws:iam::123456789123:role/AWSCloudFormationStackSetExecutionRole" ], "Effect": "Allow" }, { "Effect": "Allow", "Action": [ "iam:GetRole", "iam:PassRole" ], "Resource": "arn:aws:iam::123456789123:role/AWSCloudFormationStackSetAdministrationRole" } ] } -
Add the following permissions (policies) to the user SCEndUser:
-
AWServiceCatalogEndUserFullAccess - (AWS managed policy)
-
StackSet - (inline policy)
-
AmazonS3ReadOnlyAccess - (AWS managed policy)
-
AmazonEC2ReadOnlyAccess - (AWS managed policy)
-
AWSConfigUserAccess - (AWS managed policy)
-
SSMOpsItemActionPolicy - (inline policy)
-
ConfigBidirectionalSecurityHubSQSBaseline - (inline policy)
Note
For Service Catalog products with AWS CloudFormation StackSets, you need to include the read only permissions for the services you want to provision. For example, to provision an Amazon S3 bucket, include the AmazonS3ReadOnlyAccess policy to the SCEndUser role.
-
-
Also add a policy that allows the following on all resources (*): ssm:DescribeAutomationExecutions, ssm:DescribeDocument, and ssm:StartAutomationExecution.
-
Review and choose Create User.
-
Note the access and secret access information. Download the .csv file that contains the user credential information.
Creating SCConnectLaunch Role
The following section describes how to create the SCConnectLaunch role. This role places baseline AWS service permissions into the Service Catalog launch constraints. For more information, see CORRECT LINK.
To create SCConnectLaunch role
-
Create the AWSCloudFormationFullAccess policy. Choose create policy and then paste the following in the JSON editor.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudformation:DescribeStackResource", "cloudformation:DescribeStackResources", "cloudformation:GetTemplate", "cloudformation:List*", "cloudformation:DescribeStackEvents", "cloudformation:DescribeStacks", "cloudformation:CreateStack", "cloudformation:DeleteStack", "cloudformation:DescribeStackEvents", "cloudformation:DescribeStacks", "cloudformation:GetTemplateSummary", "cloudformation:SetStackPolicy", "cloudformation:ValidateTemplate", "cloudformation:UpdateStack", "cloudformation:CreateChangeSet", "cloudformation:DescribeChangeSet", "cloudformation:ExecuteChangeSet", "cloudformation:DeleteChangeSet", "s3:GetObject" ], "Resource": "*" } ] } -
Create a policy called ServiceCatalogSSMActionsBaseline. Follow the instructions in Creating IAM Policies, and paste the following into the JSON editor.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1536341175150", "Action": [ "servicecatalog:ListServiceActionsForProvisioningArtifact", "servicecatalog:ExecuteprovisionedProductServiceAction", "ssm:DescribeDocument", "ssm:GetAutomationExecution", "ssm:StartAutomationExecution", "ssm:StopAutomationExecution", "cloudformation:ListStackResources", "ec2:DescribeInstanceStatus", "ec2:StartInstances", "ec2:StopInstances" ], "Effect": "Allow", "Resource": "*" } ] } -
Create the SCConnectLaunch role. Assign the trust relationship to Service Catalog.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "servicecatalog.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } -
Attach the relevant policies to the SCConnectLaunch role. Attach the following baseline IAM policies:
-
AmazonEC2FullAccess (AWS managed policy)
-
AmazonS3FullAccess (AWS managed policy)
-
AWSCloudFormationFullAccess (custom managed policy)
-
ServiceCatalogSSMActionsBaseline (custom managed policy)
-
Note
You can use the available AWS CloudFormation templates for the JSM connector to configure your AWS account to enable AWS Service Catalog integration. This stack includes the Sync user and End user roles, which attach the required permissions for all available integrations. For more information, see Baseline Permissions.
