AWS IAM Policy

On this page

Overview

Example Policy
Policy Settings

Cloud Manager will no longer support Automation, Backup, and Monitoring for MongoDB 3.6 and 4.0 after August 30th, 2024. Please upgrade your MongoDB deployment or migrate to Atlas.

OAuth 2.0 authentication for programmatic access to Cloud Manager is available as a Preview feature.: The feature and the corresponding documentation might change at any time during the Preview period. To use OAuth 2.0 authentication, create a service account to use in your requests to the Cloud Manager Public API.

Overview

When Cloud Manager deploys and manages MongoDB instances on AWS infrastructure, Cloud Manager accesses AWS by way of a user's access keys. The user associated with the keys must have an attached IAM policy with the following permissions. For information on attaching the policy, see Provision Servers.

For an overview of AWS IAM policies, see Amazon's IAM policy documentation.

Example Policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["iam:*AccessKey*", "iam:GetUser"],
      "Resource": ["*"]
    },
    {
      "Effect": "Allow",
      "Action": [
        "ec2:AttachVolume",
        "ec2:AuthorizeSecurityGroupIngress",
        "ec2:CreateKeyPair",
        "ec2:CreateSecurityGroup",
        "ec2:CreateTags",
        "ec2:CreateVolume",
        "ec2:DeleteKeyPair",
        "ec2:DeleteSecurityGroup",
        "ec2:DeleteTags",
        "ec2:DeleteVolume",
        "ec2:DescribeAccountAttributes",
        "ec2:DescribeAvailabilityZones",
        "ec2:DescribeInstanceAttribute",
        "ec2:DescribeInstanceStatus",
        "ec2:DescribeInstances",
        "ec2:DescribeKeyPairs",
        "ec2:DescribeRegions",
        "ec2:DescribeSecurityGroups",
        "ec2:DescribeSubnets",
        "ec2:DescribeTags",
        "ec2:DescribeVpcs",
        "ec2:DescribeVpcAttribute",
        "ec2:DescribeVolumeStatus",
        "ec2:DescribeVolumes",
        "ec2:DescribeVolumeAttribute",
        "ec2:ImportKeyPair",
        "ec2:RunInstances",
        "ec2:StartInstances",
        "ec2:StopInstances",
        "ec2:RebootInstances",
        "ec2:TerminateInstances"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}

Policy Settings

The following table explains why each setting is required. Cloud Manager uses permissions provided by the customer only for CRUD actions on the resources Cloud Manager creates for the customer. Additionally, Cloud Manager performs only Read actions for resources the customer selects (VPC, subnet, etc) and for connected resources (network ACL, route table, etc).

Setting	Allows Cloud Manager to:
ec2:AttachVolume	Add an EBS volume to a provisioned server.
ec2:AuthorizeSecurityGroupIngress	Manage the security group rules Cloud Manager needs to ensure a valid networking state.
ec2:CreateKeyPair	SSH into a machine in order to provision it.
ec2:CreateSecurityGroup	Auto-generate security groups in the provisioning wizard.
ec2:CreateTags	Tag the EC2 instances.
ec2:CreateVolume	Create the EBS volumes.
ec2:DeleteKeyPair	Remove the key pair Cloud Manager created.
ec2:DeleteSecurityGroup	Remove the security group Cloud Manager created.
ec2:DeleteTags	Remove tags Cloud Manager created.
ec2:DeleteVolume	Removes resources Cloud Manager created.
ec2:DescribeAccountAttributes	Determine if the AWS account has access to EC2-Classic.
ec2:DescribeAvailabilityZones	Display the availability zones users can select when they provision new servers.
ec2:DescribeInstanceAttribute	Access attributes of an EC2 instance.
ec2:DescribeInstanceStatus	Access the status of an EC2 instance.
ec2:DescribeInstances	Access available EC2 instances.
ec2:DescribeKeyPairs	Validate the key pair Cloud Manager created.
ec2:DescribeRegions	Display the regions users can select when they provision new servers.
ec2:DescribeSecurityGroups	Display the security groups users can select when they provision new servers.
ec2:DescribeSubnets	Display the subnets users can select when they provision new servers.
ec2:DescribeTags	List tags for instances associated with Cloud Manager.
ec2:DescribeVpcs	Display the VPCs users can select when they provision new servers.
ec2:DescribeVpcAttribute	Access VPC attributes.
ec2:DescribeVolumeStatus	Validate the readiness of an attached or detached volume.
ec2:DescribeVolumes	Ensure your MongoDB server has the correct volumes attached.
ec2:DescribeVolumeAttribute	Access information on EBS volumes.
ec2:ImportKeyPair	Associate a key pair with an EC2 instance.
ec2:RunInstances	Run the EC2 instance.
ec2:StartInstances	Start the EC2 instance.
ec2:StopInstances	Stop the EC2 instance.
ec2:RebootInstances	Reboot the EC2 instance.
ec2:TerminateInstances	Terminate the EC2 instance.

Back

MongoDB Settings and Automation Support

Database Commands Used by Monitoring