RONIN Default IAM Policies

Parice Brandies -

Our RONIN EC2 instance uses a custom IAM role called ronin-core to control which services in the AWS account RONIN has access to. The ronin-core role has two sets of permission policies:

  1. ronin-restricted - This policy allows full access to only the AWS services that RONIN relies upon including:
  • SNS - Used by Autoscaling clusters
  • Cognito - For user access and permissions
  • s3 - For object storage
  • SES - For sending RONIN notification emails
  • Logs - For logging information
  • DynamoDB - Used by Autoscaling clusters
  • CloudFormation - Used by Autoscaling clusters
  • Budgets - For RONIN Project budgets
  • SQS - Used by Autoscaling clusters
  • Autoscaling - Used by Autoscaling clusters
  • IAM - For object storage permissions
  • CloudWatch - for monitoring and logging
  • KMS - For encryption
  • SSM - For machine management with Systems Manager
  • Route53 - For machine networking
  • EC2 - For machines and clusters
  • Tag - For tagging project resources
  • Cognito-idp - For connecting Cognito to an IDP
  • CostExplorer - For gathering project cost data
  • SSM Messages - For machine management with Systems Manager
  • Ec2 Messages - For machine management with Systems Manager
  1. ronin-ssm-ec2-policy - This policy is applied to the RONIN webserver and ALL RONIN-created machines in the AWS account. It enables instances to be managed by the AWS Systems Manager Agent, to publish custom metrics to Amazon CloudWatch, and to send logs to CloudWatch logs for management and oversight purposes.

All RONIN-launched machines will also receive the ronin-cloudwatch-agent policy which enables CloudWatch metrics and logs integration. It allows custom metrics to be defined via a Systems Manager Parameter, which is prefixed with ronin-cw-. This parameter can be adjusted to edit which custom metrics are monitored by CloudWatch.

If you have any questions about these policies, please don't hesitate to contact us at contact@ronin.cloud.