Lucidity AutoScaler Permissions Overview
Lucidity AutoScaler is based on an agent-based architecture. A lightweight agent is installed on each of the host instances, which is responsible for monitoring storage metrics and relaying them back to the Lucidity storage service as well as executing scaling commands.
Based on the utilization metrics, it figures out when to perform scaling operations and relays them back to the agent. All interactions with the cloud provider, like attaching and detaching volumes are done by the storage service.
For the Lucidity AutoScaler, we would need the following permissions.
# | Service | Permission | Description |
|---|---|---|---|
1 | EC2 | ec2:DetachVolume | To detach existing EBS volumes from EC2 instances when onboarding an instance on to the AutoScaler. |
2 | EC2 | ec2:AttachVolume | To attach Lucidity managed auto-scalable volumes to onboarded EC2 instances. |
3 | EC2 | ec2:DeleteVolume | To delete unused or orphaned EBS volumes post onboarding. |
4 | EC2 | ec2:ModifyInstanceAttribute | To associate an instance profile to an EC2 instance we will need to modify its attributes. |
5 | KMS | kms:CreateGrant | Required for creating grants that allow Lucidity to use the KMS key on behalf of AWS resources. |
6 | KMS | kms:Decrypt | Required to decrypt encrypted EBS volumes. |
7 | EC2 | ec2:DescribeInstances | To retrieve EC2 instance details such as state, tags, storage configuration, placement, etc. |
8 | EC2 | ec2:CreateTags | To allow Lucidity to add tags on AWS volumes created by AutoScaler. |
9 | KMS | kms:GenerateDataKeyWithoutPlaintext | Used to generate encrypted data keys for securing volumes. |
10 | KMS | kms:GenerateDataKeyPairWithoutPlaintext | Used to create encrypted key pairs without revealing the plaintext. |
11 | EC2 | ec2:StopInstances | To trigger a one-time reboot when onboarding Linux or Win 19 instances on to AutoScaler. |
12 | KMS | kms:GenerateDataKeyPair | Used to generate a data key pair (with plaintext). |
13 | KMS | kms:ReEncryptFrom | Required to re-encrypt data from one KMS key to another. |
14 | EC2 | ec2:CreateVolume | Needed to provision new EBS volumes. |
15 | EC2 | ec2:StartInstances | To trigger a one-time reboot when onboarding Linux or Win 19 instances on to AutoScaler. |
16 | KMS | kms:Encrypt | Used to encrypt new EBS volumes or data in transit. |
17 | EC2 | ec2:DescribeVolumes | To retrieve detailed information about one or more (EBS) volumes such as size, volume type, AZ, etc. |
18 | KMS | kms:GenerateDataKey | Required to generate data encryption keys for storage. |
19 | KMS | kms:ReEncryptTo | Required to re-encrypt data to a new KMS key. |
20 | KMS | kms:DescribeKey | Provides metadata about a KMS key, useful during validation. |
21 | EC2 | ec2:DescribeInstanceStatus | To retrieve status and health information of an EC2 instance. |
22 | IAM | iam:CreateInstanceProfile | To create an instance profile, which is used to activate each VM’s SSMagent, and fetch its disk details and share it to the SSM server |
23 | IAM | ssm:SendCommand | To run commands that allow collection of disk utilization metrics on Lucidity managed ec2 instances. |
24 | IAM | ec2:DescribeRegions | To retrieve a list of all available AWS regions for an account. |
25 | IAM | iam:RemoveRoleFromInstanceProfile | To detach the Role from the Instance Profile, before deleting it permanently. |
26 | IAM | iam:DeletePolicy | To delete the temporarily created Policy.. |
27 | IAM | iam:CreateRole | To create a temporary IAM role, with the above mentioned AWS policy. |
28 | IAM | iam:AttachRolePolicy | To attach the temporary AWS policy to the AWS IAM Role |
29 | IAM | iam:AddRoleToInstanceProfile | To add the temporarily created Lucidity IAM Role with ssm permissions to the instance profile. |
30 | EC2 | ec2:DescribeVolumeStatus | To run commands that allow collection of disk utilization metrics on Lucidity managed ec2 instances. |
31 | IAM | iam:DetachRolePolicy | To detach the AWS Policy from the role, before deleting it permanently. |
32 | IAM | iam:ListAttachedRolePolicies | To list the policies attached to a particular role |
33 | IAM | iam:ListPolicies | To list the policies attached to an EC2 instance. |
34 | IAM | iam:DeleteInstanceProfile | To delete the temporarily created instance profile. |
35 | IAM | iam:GetRole | To fetch the existing roles of an EC2 instance. If a role already exists, an Instance Profile will be attached to that role without creating a new role. |
36 | EC2 | ec2:DescribeIamInstanceProfileAssociations | To query and list the IAM instance profile associations with an EC2 instance. |
37 | IAM | iam:GetInstanceProfile | To retrieve information about an instance profile, such as Profile name, ARN, Associated IAM role, associated tags, etc. |
38 | IAM | iam:GetPolicy | To fetch existing policies attached to an EC2 instance. |
39 | IAM | iam:UpdateRoleDescription | To update the description of the temporarily created Role. |
40 | IAM | iam:ListRoles | To list the IAM roles attached to an EC2 instance. |
41 | IAM | iam:DeleteRole | To delete the temporarily created Role.. |
42 | SSM | ssm:GetCommandInvocation | To view details about commands executed using ssm such as Command execution status, Command output and error messages, etc. |
43 | EC2 | ec2:DescribeImages | To retrieve details about AMIs on an AWS account. |
44 | IAM | iam:CreatePolicy | To create a temporary AWS Policy which can activate the SSM agent and collect disk metrics. |
45 | EC2 | ec2:DisassociateIamInstanceProfile | To detach an instance profile from the EC2 instance. |
46 | IAM | iam:UpdateRole | If the EC2 instance has an existing Role, it can be updated to have the necessary SSM related policies instead of creating a new role. |
47 | IAM | iam:GetRolePolicy | To fetch existing role policy bindings. |
48 | EC2 | ec2:AssociateIamInstanceProfile | To associate an instance profile with an EC2 instance to interact with the SSM agent. |
49 | IAM | iam:GetPolicyVersion | To retrieve information about a specific version of a managed policy. |
50 | SSM | ssm:DescribeInstanceInformation | To list all EC2s managed by SSM. |
51 | IAM | iam:TagRole | To add tags to IAM roles. |
52 | IAM | iam:TagInstanceProfile | To add tags to instance profiles. |
53 | CloudWatch | cloudwatch:ListMetrics | To retrieve a list of valid metrics stored for an AWS account. |
54 | CloudWatch | cloudwatch:GetMetricData | To retrieve metric data for specified metrics. |
55 | IAM | iam:PassRole | To allow an IAM principal to delegate or pass permissions to an AWS service by configuring a resource such as an EC2 instance with an IAM role. |
56 | EC2 | ec2:DescribeSnapshots | To retrieve details of existing EBS snapshots. |
57 | EC2 | ec2:CreateSnapshot | To create a new EBS snapshot. |
58 | EC2 | ec2:DeleteSnapshot | To delete an existing EBS snapshot. |
58 | EC2 | ec2:DescribeTags | To retrieve metadata tags assigned to EC2 resources. |
59 | EC2 | ec2:DescribeLaunchTemplateVersions | To fetch launch template configurations used by AutoScaling Groups. |
60 | Account | account:ListRegions | To list enabled AWS regions in the account. |
61 | IAM | iam:SimulatePrincipalPolicy | To check whether required permissions are allowed for a role. |
62 | IAM | iam:GetContextKeysForPrincipalPolicy | To retrieve context keys needed for accurate permission simulation. |