AWS IAM Policy
The IAM policy required for NightOps to manage your AWS resources.
IAM Role Setup
NightOps uses cross-account IAM role assumption to access your AWS resources. This is the most secure method as it doesn't require sharing access keys.
Step 1: Create the IAM Policy
Create a new IAM policy with the following permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "NightOpsReadAccess",
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeTags",
"rds:DescribeDBInstances",
"rds:ListTagsForResource",
"ecs:DescribeServices",
"ecs:DescribeClusters",
"ecs:ListServices",
"eks:DescribeNodegroup",
"eks:ListNodegroups",
"eks:DescribeCluster",
"redshift:DescribeClusters",
"autoscaling:DescribeAutoScalingGroups"
],
"Resource": "*"
},
{
"Sid": "NightOpsEC2Management",
"Effect": "Allow",
"Action": [
"ec2:StartInstances",
"ec2:StopInstances"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/nightops-managed": "true"
}
}
},
{
"Sid": "NightOpsRDSManagement",
"Effect": "Allow",
"Action": [
"rds:StartDBInstance",
"rds:StopDBInstance"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"rds:db-tag/nightops-managed": "true"
}
}
},
{
"Sid": "NightOpsECSManagement",
"Effect": "Allow",
"Action": [
"ecs:UpdateService"
],
"Resource": "*"
},
{
"Sid": "NightOpsEKSManagement",
"Effect": "Allow",
"Action": [
"eks:UpdateNodegroupConfig"
],
"Resource": "*"
},
{
"Sid": "NightOpsRedshiftManagement",
"Effect": "Allow",
"Action": [
"redshift:PauseCluster",
"redshift:ResumeCluster"
],
"Resource": "*"
},
{
"Sid": "NightOpsASGManagement",
"Effect": "Allow",
"Action": [
"autoscaling:UpdateAutoScalingGroup"
],
"Resource": "*"
}
]
}Step 2: Create the IAM Role
Create a new IAM role with a trust relationship allowing NightOps to assume it:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::831493647492:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "YOUR_EXTERNAL_ID"
}
}
}
]
}Replace YOUR_EXTERNAL_ID with the external ID generated for your account in the NightOps dashboard.
Step 3: Attach the Policy
Attach the IAM policy created in Step 1 to the IAM role created in Step 2.
Step 4: Add to NightOps
Copy the Role ARN (e.g., arn:aws:iam::YOUR_ACCOUNT:role/NightOpsRole) and add it in the NightOps dashboard under Settings → Cloud Providers → Add AWS Account.
Minimal Permissions
If you only want to manage specific services, you can remove the corresponding permissions from the policy. For example, if you only need EC2 management:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "NightOpsEC2Read",
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeTags"
],
"Resource": "*"
},
{
"Sid": "NightOpsEC2Management",
"Effect": "Allow",
"Action": [
"ec2:StartInstances",
"ec2:StopInstances"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/nightops-managed": "true"
}
}
}
]
}Security Considerations
- The policy uses condition keys to ensure NightOps can only manage tagged resources
- We use external IDs to prevent confused deputy attacks
- NightOps never requests permissions for data access or resource deletion
- You can further restrict the policy using resource ARNs if desired