IAM Deployment Policies

Vokal web deployments rely on access keys and secrets created when adding IAM users through AWS. For security purposes, these credentials should have limited access within AWS which can be managed through user permissions, or policies.

To view active users, you can go to 'Services' > 'IAM' and then select 'Users' in the left column. Users created for deployment should not have login capabilities, only access keys.

User Policies

There are three permissions a user will need to complete a web deployment: uploading for s3, creating an invalidation in Cloudfront, and SES access to send the deployment email. To change these permissions, select the desired user from the list and open the 'Permissions' tab on the detail view.

• S3 and Cloudfront
  Due to the different S3 buckets for dev, staging, and prod, it's suggested to create a separate user for each environment and only grant access to their particular bucket. Select 'Create User Policy' under 'Inline Policies' to get started with this. Select 'Custom Policy' from the next menu and it should open a text editor for you.

  Add a policy name that is lowercase without spaces, eg. 'deployment-staging', and copy/paste the following code into the document field.

  {
      "Version": "2012-10-17",
      "Statement": [
          {
              "Sid": "Stmt1436468325000",
              "Effect": "Allow",
              "Action": [
                  "cloudfront:GetDistribution",
                  "cloudfront:UpdateDistribution",
                  "cloudfront:CreateInvalidation"
              ],
              "Resource": [
                  "*"
              ]
          },
          {
              "Sid": "Stmt1436469047000",
              "Effect": "Allow",
              "Action": [
                  "s3:DeleteObject",
                  "s3:GetObject",
                  "s3:GetObjectAcl",
                  "s3:PutObject",
                  "s3:PutObjectAcl"
              ],
              "Resource": [
                  "arn:aws:s3:::<bucket-name-staging>/*"
              ]
          }
      ]
  }

  Ensure to replace <bucket-name-staging> with the appropriate S3 bucket. Do not adjust the version or Sids. This grants the user permission to create invalidations and update only one S3 bucket. If you want to share deployment keys for dev and staging, you could add a second resource for arn:aws:s3:::<bucket-name-dev>/* to the S3 Resource array.

  Production permissions should never be shared with other environments.

• SES
  Adding permissions for SES are a bit simpler. Select 'Attach Policy' under 'Managed Policies' and it will bring up a search page. You can search by 'SES' to narrow down the list. Select the 'AmazonSESFullAccess' entry then the 'Attach Policy' button at the bottom. There we go, permission granted.

Repeat these steps for each deployment user. Afterwards, consult with your project's systems engineer on getting SES setup and verifying emails for deployment notifications.