diff --git a/content/operate/rc/subscriptions/bring-your-own-cloud/cloud-account-settings.md b/content/operate/rc/subscriptions/bring-your-own-cloud/cloud-account-settings.md index 550bfcd6c0..35842c48d6 100644 --- a/content/operate/rc/subscriptions/bring-your-own-cloud/cloud-account-settings.md +++ b/content/operate/rc/subscriptions/bring-your-own-cloud/cloud-account-settings.md @@ -8,6 +8,10 @@ categories: description: null hideListLinks: true weight: 2 +aliases: + - /operate/rc/how-to/view-edit-cloud-account/cloud-account-settings + - /operate/rc/cloud-accounts/cloud-account-settings + - /operate/rc/cloud-integrations/aws-cloud-accounts/cloud-account-settings --- Redis Cloud Bring your own Cloud (BYOC) lets you use your own cloud infrastructure to deploy Redis Cloud. diff --git a/content/operate/rc/subscriptions/bring-your-own-cloud/iam-resources/_index.md b/content/operate/rc/subscriptions/bring-your-own-cloud/iam-resources/_index.md index cdcbe14f09..8210d6624b 100644 --- a/content/operate/rc/subscriptions/bring-your-own-cloud/iam-resources/_index.md +++ b/content/operate/rc/subscriptions/bring-your-own-cloud/iam-resources/_index.md @@ -8,6 +8,10 @@ description: null hideListLinks: true linkTitle: Create IAM resources weight: 1 +aliases: + - /operate/rc/how-to/view-edit-cloud-account/iam-resources + - /operate/rc/cloud-accounts/iam-resources + - /operate/rc/cloud-integrations/aws-cloud-accounts/iam-resources --- For Redis Cloud Bring your Own Cloud (BYOC) on Amazon Web Services (AWS), we manage the supporting infrastructure for you in dedicated AWS accounts. diff --git a/content/operate/rc/subscriptions/bring-your-own-cloud/iam-resources/aws-console.md b/content/operate/rc/subscriptions/bring-your-own-cloud/iam-resources/aws-console.md index 539c122c33..94e94a1e65 100644 --- a/content/operate/rc/subscriptions/bring-your-own-cloud/iam-resources/aws-console.md +++ b/content/operate/rc/subscriptions/bring-your-own-cloud/iam-resources/aws-console.md @@ -7,6 +7,10 @@ categories: - operate - rc weight: $weight +aliases: + - /operate/rc/how-to/view-edit-cloud-account/iam-resources/aws-console + - /operate/rc/cloud-accounts/iam-resources/aws-console + - /operate/rc/cloud-integrations/aws-cloud-accounts/iam-resources/aws-console --- Follow these steps to manually create IAM resources using the [AWS console](https://console.aws.amazon.com/). @@ -26,7 +30,7 @@ Follow the steps to [create an IAM policy using the JSON editor](https://docs.aw {{< expand "View RedisLabsInstanceRolePolicy.json" >}} ```js -{ + { "Version": "2012-10-17", "Statement": [ { @@ -84,19 +88,19 @@ Follow the steps to [create an IAM policy using the JSON editor](https://docs.aw ] }, { - "Sid": "TagResourcesDelete", - "Effect": "Allow", - "Action": [ + "Sid": "TagResourcesDelete", + "Effect": "Allow", + "Action": [ "ec2:DeleteTags" - ], - "Resource": [ + ], + "Resource": [ "*" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/RedisLabsIdentifier": "Redislabs-VPC" - } - } + ], + "Condition": { + "StringEquals": { + "ec2:ResourceTag/RedisLabsIdentifier": "Redislabs-VPC" + } + } } ] } @@ -152,7 +156,11 @@ Follow the steps to [create an IAM policy using the JSON editor](https://docs.aw "ec2:DescribeInternetGateways", "ec2:DescribeImages", "ec2:DescribeTransitGatewayVpcAttachments", - "ec2:DescribeVpcPeeringConnections" + "ec2:DescribeVpcPeeringConnections", + "ec2:DescribeKeyPairs", + "ec2:DescribeTransitGateways", + "ec2:DescribeInstanceStatus", + "ec2:DescribeNetworkAcls" ], "Resource": "*" }, @@ -164,12 +172,7 @@ Follow the steps to [create an IAM policy using the JSON editor](https://docs.aw "cloudwatch:Get*", "cloudwatch:List*" ], - "Resource": "*", - "Condition": { - "StringEquals": { - "ec2:ResourceTag/RedisLabsIdentifier": "Redislabs-VPC" - } - } + "Resource": "*" }, { "Sid": "IamUserOperations", @@ -182,27 +185,26 @@ Follow the steps to [create an IAM policy using the JSON editor](https://docs.aw "Resource": "arn:aws:iam::*:user/${aws:username}" }, { - "Sid": "PassRlClusterNodeRole", - "Effect": "Allow", - "Action": "iam:PassRole", - "Resource": "arn:aws:iam::*:role/redislabs-cluster-node-role" - }, - { - "Sid": "IAMRoleReadAccess", - "Effect": "Allow", + "Sid": "RolePolicyUserReadActions", "Action": [ "iam:GetRole", "iam:GetPolicy", + "iam:ListUsers", + "iam:ListPolicies", "iam:ListRolePolicies", "iam:ListAttachedRolePolicies", "iam:ListInstanceProfiles", "iam:ListInstanceProfilesForRole", "iam:SimulatePrincipalPolicy" ], - "Resource": [ - "arn:aws:iam::*:role/Redislabs-*", - "arn:aws:iam::*:policy/Redislabs-*" - ] + "Effect": "Allow", + "Resource": "*" + }, + { + "Sid": "PassRlClusterNodeRole", + "Effect": "Allow", + "Action": "iam:PassRole", + "Resource": "arn:aws:iam::*:role/redislabs-cluster-node-role" }, { "Sid": "CreateEc2ResourcesWithoutTag", @@ -216,7 +218,13 @@ Follow the steps to [create an IAM policy using the JSON editor](https://docs.aw "ec2:CreateSecurityGroup", "ec2:CreateInternetGateway", "ec2:CreateRouteTable", - "ec2:CreateSubnet" + "ec2:CreateSubnet", + "ec2:CreateSnapshot", + "ec2:CreateTransitGateway", + "ec2:AssociateVpcCidrBlock", + "ec2:CreateTransitGatewayVpcAttachment", + "ec2:AttachInternetGateway", + "ec2:ReplaceRoute" ], "Resource": "*" }, @@ -238,19 +246,6 @@ Follow the steps to [create an IAM policy using the JSON editor](https://docs.aw } } }, - { - "Sid": "DenyCreateVpcWithoutRequiredTag", - "Effect": "Deny", - "Action": [ - "ec2:CreateVpc" - ], - "Resource": "*", - "Condition": { - "Null": { - "aws:RequestTag/RedisLabsIdentifier": "true" - } - } - }, { "Sid": "AllowVpcPeeringManagement", "Effect": "Allow", @@ -278,9 +273,6 @@ Follow the steps to [create an IAM policy using the JSON editor](https://docs.aw "Effect": "Allow", "Action": [ "ec2:CreateVolume", - "ec2:CreateSnapshot", - "ec2:ImportKeyPair", - "ec2:AttachInternetGateway", "ec2:CreateRoute", "ec2:AuthorizeSecurityGroupIngress", "ec2:AuthorizeSecurityGroupEgress" @@ -325,7 +317,6 @@ Follow the steps to [create an IAM policy using the JSON editor](https://docs.aw "ec2:DeleteSecurityGroup", "ec2:DeleteRouteTable", "ec2:DeleteRoute", - "ec2:DetachInternetGateway", "ec2:DeleteInternetGateway", "ec2:DeleteVpc" ], @@ -336,6 +327,18 @@ Follow the steps to [create an IAM policy using the JSON editor](https://docs.aw } } }, + { + "Sid": "DeleteEc2ResourcesWithoutTag", + "Effect": "Allow", + "Action": [ + "ec2:RevokeSecurityGroupIngress", + "ec2:RejectVpcPeeringConnection", + "ec2:DeleteTransitGatewayVpcAttachment", + "ec2:DeleteTransitGateway", + "ec2:DetachInternetGateway" + ], + "Resource": "*" + }, { "Sid": "CreateAndChangeServiceLinkedRoleForTransitGateway", "Effect": "Allow", @@ -348,12 +351,37 @@ Follow the steps to [create an IAM policy using the JSON editor](https://docs.aw } }, { + "Sid": "RolePolicyForTransitGateway", "Effect": "Allow", "Action": [ "iam:AttachRolePolicy", "iam:PutRolePolicy" ], "Resource": "arn:aws:iam::*:role/aws-service-role/transitgateway.amazonaws.com/AWSServiceRoleForVPCTransitGateway*" + }, + { + "Sid": "AllowEncryptedVolumeCreation", + "Effect": "Allow", + "Action": [ + "kms:GenerateDataKeyWithoutPlaintext", + "kms:DescribeKey" + ], + "Resource": "*" + }, + { + "Sid": "AllowAttachDetachOfEncryptedVolumes", + "Effect": "Allow", + "Action": [ + "kms:CreateGrant", + "kms:ListGrants", + "kms:RevokeGrant" + ], + "Resource": "*", + "Condition": { + "Bool": { + "kms:GrantIsForAWSResource": "true" + } + } } ] } diff --git a/content/operate/rc/subscriptions/bring-your-own-cloud/iam-resources/cloudformation.md b/content/operate/rc/subscriptions/bring-your-own-cloud/iam-resources/cloudformation.md index 6017d137da..291433ba39 100644 --- a/content/operate/rc/subscriptions/bring-your-own-cloud/iam-resources/cloudformation.md +++ b/content/operate/rc/subscriptions/bring-your-own-cloud/iam-resources/cloudformation.md @@ -7,6 +7,10 @@ categories: - operate - rc linkTitle: CloudFormation +aliases: + - /operate/rc/how-to/view-edit-cloud-account/iam-resources/cloudformation + - /operate/rc/cloud-accounts/iam-resources/cloudformation + - /operate/rc/cloud-integrations/aws-cloud-accounts/iam-resources/cloudformation --- You can use [AWS CloudFormation](https://aws.amazon.com/cloudformation/) to create the IAM resources for Redis Cloud Bring your Own Cloud (BYOC). diff --git a/content/operate/rc/subscriptions/bring-your-own-cloud/iam-resources/terraform.md b/content/operate/rc/subscriptions/bring-your-own-cloud/iam-resources/terraform.md index e0e8a70893..fe699b4cac 100644 --- a/content/operate/rc/subscriptions/bring-your-own-cloud/iam-resources/terraform.md +++ b/content/operate/rc/subscriptions/bring-your-own-cloud/iam-resources/terraform.md @@ -7,6 +7,10 @@ categories: - operate - rc linkTitle: Terraform +aliases: + - /operate/rc/how-to/view-edit-cloud-account/iam-resources/terraform + - /operate/rc/cloud-accounts/iam-resources/terraform + - /operate/rc/cloud-integrations/aws-cloud-accounts/iam-resources/terraform --- You can use [HashiCorp Terraform](https://www.terraform.io/intro/index.html) to create identity and access management (IAM) resources to support AWS cloud account access to Redis Cloud subscriptions. diff --git a/content/operate/rc/subscriptions/bring-your-own-cloud/subscription-whitelist.md b/content/operate/rc/subscriptions/bring-your-own-cloud/subscription-whitelist.md index b3755a2b28..10fe27304e 100644 --- a/content/operate/rc/subscriptions/bring-your-own-cloud/subscription-whitelist.md +++ b/content/operate/rc/subscriptions/bring-your-own-cloud/subscription-whitelist.md @@ -9,6 +9,10 @@ description: The CIDR allow list permits traffic between a range of IP addresses the Redis Cloud VPC. linkTitle: Subscription CIDR allow list weight: $weight +aliases: + - /operate/rc/how-to/view-edit-cloud-account/subscription-whitelist + - /operate/rc/cloud-accounts/subscription-whitelist + - /operate/rc/cloud-integrations/aws-cloud-accounts/subscription-whitelist --- The [CIDR](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) [allow list](https://en.wikipedia.org/wiki/Whitelist) lets you restrict traffic to your Redis Cloud database. When you configure an allow list, only the [IP addresses](https://en.wikipedia.org/wiki/IP_address) defined in the list can connect to the database. Traffic from all other IP addresses is blocked.