Advertising sustains the DA. Ads are hidden for members. Join today

On this page

Configuration (AWS Cloud)

Last updated on
8 November 2021

1. AWS IAM Permissions

  1. Access AWS Management Console, go to Identity and Access Management (IAM).
  2. Create a custom IAM policy as the JSON example shown below.  NOTE that you need to change YOUR_ACCOUNT_ID
    to your AWS account ID (12 digit numeric value) in the JSON.
     

    Standard (Recommended):

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "describePolicies",
            "Effect": "Allow",
            "Action": [
                "cloudwatch:GetMetricData",
                "ec2:DescribeAddresses",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeFlowLogs",
                "ec2:DescribeIamInstanceProfileAssociations",
                "ec2:DescribeImageAttribute",
                "ec2:DescribeImages",
                "ec2:DescribeInstanceAttribute",
                "ec2:DescribeInstances",
                "ec2:DescribeInternetGateways",
                "ec2:DescribeKeyPairs",
                "ec2:DescribeLaunchTemplates",
                "ec2:DescribeLaunchTemplateVersions",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSnapshots",
                "ec2:DescribeSubnets",
                "ec2:DescribeVolumes",
                "ec2:DescribeVpcPeeringConnections",
                "ec2:DescribeVpcs",
                "ec2:GetConsoleOutput"
            ],
            "Resource": "*"
        },
        {
            "Sid": "ProfilePolices",
            "Effect": "Allow",
            "Action": "iam:ListInstanceProfiles",
            "Resource": "arn:aws:iam::YOUR_ACCOUNT_ID:instance-profile/*"
        },
        {
            "Sid": "CreatePolicies",
            "Effect": "Allow",
            "Action": [
                "ec2:RevokeSecurityGroupIngress",
                "ec2:AuthorizeSecurityGroupEgress",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:CreateKeyPair",
                "ec2:CreateSecurityGroup",
                "ec2:CreateTags",
                "ec2:RevokeSecurityGroupEgress",
                "ec2:CreateSubnet",
                "ec2:CreateVpc",
                "ec2:CreateNetworkInterface"
            ],
            "Resource": [
                "arn:aws:ec2:*:YOUR_ACCOUNT_ID:key-pair/*",
                "arn:aws:ec2:*:YOUR_ACCOUNT_ID:security-group/*",
                "arn:aws:ec2:*:YOUR_ACCOUNT_ID:vpc/*",
                "arn:aws:ec2:*:YOUR_ACCOUNT_ID:subnet/*",
                "arn:aws:ec2:*:YOUR_ACCOUNT_ID:network-interface/*"
            ]
        }
    ]
}

    Minimum:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "describePolicies",
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeAddresses",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeFlowLogs",
                "ec2:DescribeIamInstanceProfileAssociations",
                "ec2:DescribeImageAttribute",
                "ec2:DescribeImages",
                "ec2:DescribeInstanceAttribute",
                "ec2:DescribeInstances",
                "ec2:DescribeInternetGateways",
                "ec2:DescribeKeyPairs",
                "ec2:DescribeLaunchTemplates",
                "ec2:DescribeLaunchTemplateVersions",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSnapshots",
                "ec2:DescribeSubnets",
                "ec2:DescribeVolumes",
                "ec2:DescribeVpcPeeringConnections",
                "ec2:DescribeVpcs",
            ],
            "Resource": "*"
        },
        {
            "Sid": "ProfilePolices",
            "Effect": "Allow",
            "Action": "iam:ListInstanceProfiles",
            "Resource": "arn:aws:iam::YOUR_ACCOUNT_ID:instance-profile/*"
        },
        {
            "Sid": "CreatePolicies",
            "Effect": "Allow",
            "Action": [
                "ec2:RevokeSecurityGroupIngress",
                "ec2:AuthorizeSecurityGroupEgress",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:CreateKeyPair",
                "ec2:CreateSecurityGroup",
                "ec2:CreateTags",
                "ec2:RevokeSecurityGroupEgress",
                "ec2:CreateSubnet",
                "ec2:CreateVpc",
                "ec2:CreateNetworkInterface"
            ],
            "Resource": [
                "arn:aws:ec2:*:YOUR_ACCOUNT_ID:key-pair/*",
                "arn:aws:ec2:*:YOUR_ACCOUNT_ID:security-group/*",
                "arn:aws:ec2:*:YOUR_ACCOUNT_ID:vpc/*",
                "arn:aws:ec2:*:YOUR_ACCOUNT_ID:subnet/*",
                "arn:aws:ec2:*:YOUR_ACCOUNT_ID:network-interface/*"
            ]
        }
    ]
}
  3. Create an IAM user or IAM role.
  4. Attach existing policies directly to the IAM user or Attach policies to the IAM role. (Select the above policy that you created.)

2. Drupal Permissions

  1. How to configure
    Go to People > Permissions in your Drupal site.  Configure permissions per your requirements.
     
  2. Concept
    There are Add, Edit, Delete, View and List permissions on each AWS EC2 entities.
    Edit, Delete and View permissions have two types, Any or Own.
    Permission Description
    Add AWS EC2 entity Allow users to add AWS EC2 entity
    Edit any AWS EC2 entity Allow users to edit any AWS EC2 entity
    Edit own AWS EC2 entity Allow users to edit own AWS EC2 entity
    Delete any AWS EC2 entity Allow users to delete any AWS EC2 entity
    Delete own AWS EC2 entity Allow users to delete own AWS EC2 entity
    View any AWS EC2 entity Allow users to view any AWS EC2 entity
    View own AWS EC2 entity Allow users to view own AWS EC2 entity
    List AWS EC2 entity Allow users to list AWS EC2 entity
    • Any permissions allow users to manage any AWS EC2 entities.
    • Own permissions allow users to manage only their owning AWS EC2 entities.
  3. How to associate the entity's owner with AWS Management Console
    The owner's uid is applied as Tags with a key uid to resources on AWS Management Console.
     
    AWS Cloud Key Pair cannot have Tags on AWS Management Console, therefore the owner information is saved and managed only on Drupal.

3. Basic Setup

  1. Create a new Cloud Config based on your needs.  Go to Structure > Cloud config list and + Add Cloud config
  2. Enter all required configuration parameters.  The system will automatically setup all regions from your AWS account.  There are three options for specifying AWS credentials:
     
    1. Instance Credentials

      If cloud module is running on an EC2 instance and the EC2 instance has an IAM Role attached, you have the option to check "Use Instance Credentials".  Doing so is secure and does not require Access Key ID and Secret Access Key to be entered into Drupal.

      Please refer to this AWS tutorial about IAM role and EC2 Instance:

      https://aws.amazon.com/blogs/security/easily-replace-or-attach-an-iam-role-to-an-existing-ec2-instance-by-using-the-ec2-console/

    2. Simple Access

      Specify Access Key ID and Secret Access Key to access a particular account's EC2 instances.

    3. Assume Role

      Specify Access Key ID, Secret Access Key and the Assume Role section.  With this combination, the cloud module can assume the role of another AWS account and access their EC2 instances. 

      To learn more about setting up assume role setup, please read this AWS tutorial:

      https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_permissions-to-switch.html

  3. Run cron to update your specific Cloud region.
  4. Use the links under Cloud Service Providers > [CLOUD CONFIG] to manage your AWS EC2 entities.
  5. Import Images using the tab: Cloud Service Providers > [CLOUD CONFIG] | Images
     
    1. Click on + Import AWS Cloud Image
    2. Search for images by AMI name.  For example, to import "Anaconda" images based on Ubuntu, type in "anaconda*ubuntu*".  Use the AWS Console on "aws.amazon.com" to search for images to import
  6. Import or Add a Keypair.  The keypair is used to log into any system you launch.  Use the links under the tab: Cloud Service Providers > [CLOUD CONFIG] | Key Pair
     
    1. Use the + Import AWS Cloud Key Pair button to import an existing key pair.  You will be uploading your public key.
    2. Use + Add AWS Cloud Key Pair to have AWS generate a new private key. You will be prompted to download the key after it is created.
  7. Setup Security groups, VPCs, Subnets, and Network Interfaces.

4. Launching Instance

  1. Create a Server Template under Design > Cloud Server Template > [CLOUD CONFIG]
  2. Once template is created, click the Launch tab to launch it.

Help improve this page

Page status: No known problems

You can: