IAM roles for AWS FIS experiments
AWS Identity and Access Management (IAM) is an AWS service that helps an administrator securely control access to AWS resources. To use AWS FIS, you must create an IAM role that grants AWS FIS the permissions required so that AWS FIS can run experiments on your behalf. You specify this experiment role when you create an experiment template. For a single-account experiment, the IAM policy for the experiment role must grant permission to modify the resources that you specify as targets in your experiment template. For a multi-account experiment, the experiment role must grant the orchestrator role permission to assume the IAM role for each target account. For more information, see Permissions for multi-account experiments.
We recommend that you follow the standard security practice of granting least privilege. You can do so by specifying specific resource ARNs or tags in your policies.
To help you get started with AWS FIS quickly, we provide AWS managed policies that you can specify when you create an experiment role. Alternatively, you can also use these policies as a model as you create your own inline policy documents.
Contents
Prerequisites
Before you begin, install the AWS CLI and create the required trust policy.
- Install the AWS CLI
-
Before you begin, install and configure the AWS CLI. When you configure the AWS CLI, you are prompted for AWS credentials. The examples in this procedure assume that you also configured a default Region. Otherwise, add the
--region
option to each command. For more information, see Installing or updating the AWS CLI and Configuring the AWS CLI. - Create a trust relationship policy
-
An experiment role must have a trust relationship that allows the AWS FIS service to assume the role. Create a text file named
fis-role-trust-policy.json
and add the following trust relationship policy.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "fis.amazonaws.com" ] }, "Action": "sts:AssumeRole" } ] }
We recommend that you use the
aws:SourceAccount
andaws:SourceArn
condition keys to protect yourself against the confused deputy problem. The source account is the owner of the experiment and the source ARN is the ARN of the experiment. For example, you should add the following condition block to your trust policy."Condition": { "StringEquals": { "aws:SourceAccount": "
account_id
" }, "ArnLike": { "aws:SourceArn": "arn:aws:fis:region
:account_id
:experiment/*" } } - Add permissions to assume target account roles (multi-account experiments only)
-
For multi-account experiments, you need permissions that allows orchestrator account to assume target account roles. You can modify the following example and add as an inline policy document to assume target account roles:
{ "Effect": "Allow", "Action": "sts:AssumeRole", "Resource":[ "arn:aws:iam::
target_account_id
:role/role_name
" ] }
Option 1: Create an experiment role and attach an AWS managed policy
Use one of the AWS managed policies from AWS FIS to get started quickly.
To create an experiment role and attach an AWS managed policy
-
Verify that there is a managed policy for the AWS FIS actions in your experiment. Otherwise, you'll need to create your own inline policy document instead. For more information, see AWS managed policies for AWS Fault Injection Service.
-
Use the following create-role command to create a role and add the trust policy that you created in the prerequisites.
aws iam create-role --role-name
my-fis-role
--assume-role-policy-document file://fis-role-trust-policy.json
-
Use the following attach-role-policy command to attach the AWS managed policy.
aws iam attach-role-policy --role-name
my-fis-role
--policy-arnfis-policy-arn
Where
fis-policy-arn
is one of the following:-
arn:aws:iam::aws:policy/service-role/AWSFaultInjectionSimulatorEC2Access
-
arn:aws:iam::aws:policy/service-role/AWSFaultInjectionSimulatorECSAccess
-
arn:aws:iam::aws:policy/service-role/AWSFaultInjectionSimulatorEKSAccess
-
arn:aws:iam::aws:policy/service-role/AWSFaultInjectionSimulatorNetworkAccess
-
arn:aws:iam::aws:policy/service-role/AWSFaultInjectionSimulatorRDSAccess
-
arn:aws:iam::aws:policy/service-role/AWSFaultInjectionSimulatorSSMAccess
-
Option 2: Create an experiment role and add an inline policy document
Use this option for actions that don't have a managed policy, or to include only the permissions that are required for your specific experiment.
To create an experiment and add an inline policy document
-
Use the following create-role command to create a role and add the trust policy that you created in the prerequisites.
aws iam create-role --role-name
my-fis-role
--assume-role-policy-document file://fis-role-trust-policy.json
-
Create a text file named
fis-role-permissions-policy.json
and add a permissions policy. For an example that you can use as a starting point, see the following.-
Fault injection actions – Start from the following policy.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowFISExperimentRoleFaultInjectionActions", "Effect": "Allow", "Action": [ "fis:InjectApiInternalError", "fis:InjectApiThrottleError", "fis:InjectApiUnavailableError" ], "Resource": "arn:*:fis:*:*:experiment/*" } ] }
-
Amazon EBS actions – Start from the following policy.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeVolumes" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:PauseVolumeIO" ], "Resource": "arn:aws:ec2:*:*:volume/*" } ] }
-
Amazon EC2 actions – Start from the AWSFaultInjectionSimulatorEC2Access policy.
-
Amazon ECS actions – Start from the AWSFaultInjectionSimulatorECSAccess policy.
-
Amazon EKS actions – Start from the AWSFaultInjectionSimulatorEKSAccess policy.
-
Network actions – Start from the AWSFaultInjectionSimulatorNetworkAccess policy.
-
Amazon RDS actions – Start from the AWSFaultInjectionSimulatorRDSAccess policy.
-
Systems Manager actions – Start from the AWSFaultInjectionSimulatorSSMAccess policy.
-
-
Use the following put-role-policy command to add the permissions policy that you created in the previous step.
aws iam put-role-policy --role-name
my-fis-role
--policy-namemy-fis-policy
--policy-document file://fis-role-permissions-policy.json