docs: synchronize AWS permissions with commercial docs (#784)

The docs in this repo and the commercial docs have slightly different permissions, but there's no reason for this, so they should be synchronized. [#184613881](https://www.pivotaltracker.com/story/show/184613881)
cloudfoundry · Mar 10, 2023 · 49d4a99 · 49d4a99
1 parent dc04a77
commit 49d4a99
Showing 1 changed file with 122 additions and 86 deletions.
diff --git a/docs/aws-installation.md b/docs/aws-installation.md
@@ -18,95 +18,131 @@ The services need to be provisioned in the same AWS account that the foundation
 The AWS account represented by the access key needs the following permission policies:
 ```json
 {
-        "Version": "2012-10-17",
-        "Statement": [
-            {
-                "Action": [
-                    "s3:BypassGovernanceRetention",                  
-                    "s3:CreateAccessPoint",                  
-                    "s3:CreateBucket",
-                    "s3:DeleteBucket",
-                    "s3:PutAccountPublicAccessBlock",
-                    "s3:PutBucketAcl",
-                    "s3:PutBucketLogging",
-                    "s3:PutBucketObjectLockConfiguration",
-                    "s3:PutBucketOwnershipControls",  
-                    "s3:PutBucketPolicy",
-                    "s3:PutBucketPublicAccessBlock",
-                    "s3:PutBucketTagging",
-                    "s3:PutObjectLegalHold",
-                    "s3:PutObjectRetention",
-                    "s3:GetObject",
-                    "s3:ListBucket",
-                    "s3:GetAccountPublicAccessBlock",
-                    "s3:GetBucketObjectLockConfiguration",
-                    "s3:GetBucketOwnershipControls",
-                    "s3:GetBucketPolicyStatus",
-                    "s3:GetBucketPublicAccessBlock",
-                    "s3:GetObjectLegalHold",
-                    "s3:GetObjectRetention",
-                    "iam:CreateAccessKey",
-                    "iam:CreateUser",
-                    "iam:GetUser",
-                    "iam:DeleteAccessKey",
-                    "iam:DeleteUser",
-                    "iam:DeleteUserPolicy",
-                    "iam:ListAccessKeys",
-                    "iam:ListAttachedUserPolicies",
-                    "iam:ListUserPolicies",
-                    "iam:ListPolicies",
-                    "iam:PutUserPolicy",
-                    "iam:GetPolicy",
-                    "iam:GetAccountAuthorizationDetails",
-                    "rds:CreateDBCluster",
-                    "rds:CreateDBInstance",
-                    "rds:DeleteDBCluster",
-                    "rds:DeleteDBInstance",
-                    "rds:DescribeDBClusters",
-                    "rds:DescribeDBInstances",
-                    "rds:DescribeDBSnapshots",
-                    "rds:DeleteDBSnapshot",
-                    "rds:CreateDBParameterGroup",
-                    "rds:ModifyDBParameterGroup",
-                    "rds:DeleteDBParameterGroup",
-                    "dynamodb:ListTables",
-                    "dynamodb:DeleteTable",
-                    "dynamodb:DescribeTable",
-                    "sqs:CreateQueue",
-                    "sqs:DeleteQueue",
-                    "ec2:DescribeVpcs",
-                    "ec2:DescribeVpcAttribute",
-                    "ec2:DescribeSubnets",
-                    "ec2:CreateSecurityGroup",
-                    "ec2:DescribeSecurityGroups",
-                    "ec2:DescribeNetworkInterfaces",
-                    "ec2:DeleteSecurityGroup",
-                    "ec2:RevokeSecurityGroupEgress",
-                    "ec2:AuthorizeSecurityGroupIngress",
-                    "rds:CreateDBSubnetGroup",
-                    "rds:DescribeDBSubnetGroups",
-                    "rds:ListTagsForResource",
-                    "rds:DeleteDBSubnetGroup",
-                    "rds:AddTagsToResource",
-                    "ec2:RevokeSecurityGroupIngress",
-                    "elasticache:ModifyReplicationGroup",
-                    "elasticache:DeleteCacheSubnetGroup",
-                    "elasticache:DescribeReplicationGroups",
-                    "elasticache:DescribeCacheClusters",
-                    "elasticache:ListTagsForResource",
-                    "elasticache:CreateReplicationGroup",
-                    "elasticache:DescribeCacheSubnetGroups",
-                    "elasticache:CreateCacheSubnetGroup",
-                    "elasticache:DeleteReplicationGroup",
-                    "elasticache:ModifyReplicationGroupShardConfiguration"
-                ],
-                "Effect": "Allow",
-                "Resource": "*"
-            }
-        ]
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": [
+        "dynamodb:CreateTable",
+        "dynamodb:CreateTableReplica",
+        "dynamodb:DeleteTable",
+        "dynamodb:DescribeBackup",
+        "dynamodb:DescribeContinuousBackups",
+        "dynamodb:DescribeTable",
+        "dynamodb:DescribeTimeToLive",
+        "dynamodb:ListTables",
+        "dynamodb:ListTagsOfResource",
+        "dynamodb:TagResource",
+        "ec2:AuthorizeSecurityGroupIngress",
+        "ec2:CreateSecurityGroup",
+        "ec2:DeleteSecurityGroup",
+        "ec2:DescribeNetworkInterfaces",
+        "ec2:DescribeSecurityGroups",
+        "ec2:DescribeSubnets",
+        "ec2:DescribeVpcAttribute",
+        "ec2:DescribeVpcs",
+        "ec2:RevokeSecurityGroupEgress",
+        "ec2:RevokeSecurityGroupIngress",
+        "elasticache:CreateCacheSubnetGroup",
+        "elasticache:CreateReplicationGroup",
+        "elasticache:DeleteCacheSubnetGroup",
+        "elasticache:DeleteReplicationGroup",
+        "elasticache:DescribeCacheClusters",
+        "elasticache:DescribeCacheSubnetGroups",
+        "elasticache:DescribeReplicationGroups",
+        "elasticache:ListTagsForResource",
+        "elasticache:ModifyReplicationGroup",
+        "elasticache:ModifyReplicationGroupShardConfiguration",
+        "iam:CreateAccessKey",
+        "iam:CreateUser",
+        "iam:DeleteAccessKey",
+        "iam:DeleteUser",
+        "iam:DeleteUserPolicy",
+        "iam:GetAccountAuthorizationDetails",
+        "iam:GetPolicy",
+        "iam:GetUser",
+        "iam:GetUserPolicy",
+        "iam:ListAccessKeys",
+        "iam:ListAttachedUserPolicies",
+        "iam:ListGroupsForUser",
+        "iam:ListPolicies",
+        "iam:ListUserPolicies",
+        "iam:PutUserPolicy",
+        "rds:AddTagsToResource",
+        "rds:CreateDBCluster",
+        "rds:CreateDBInstance",
+        "rds:CreateDBParameterGroup",
+        "rds:CreateDBSubnetGroup",
+        "rds:DeleteDBCluster",
+        "rds:DeleteDBInstance",
+        "rds:DeleteDBParameterGroup",
+        "rds:DeleteDBSnapshot",
+        "rds:DeleteDBSubnetGroup",
+        "rds:DescribeDBClusters",
+        "rds:DescribeDBInstances",
+        "rds:DescribeDBSnapshots",
+        "rds:DescribeDBSubnetGroups",
+        "rds:ListTagsForResource",
+        "rds:ModifyDBInstance",
+        "rds:ModifyDBParameterGroup",
+        "s3:BypassGovernanceRetention",
+        "s3:BypassGovernanceRetention",
+        "s3:CreateAccessPoint",
+        "s3:CreateAccessPoint",
+        "s3:CreateBucket",
+        "s3:DeleteAccessPointPolicy",
+        "s3:DeleteBucket",
+        "s3:DeleteBucketPolicy",
+        "s3:DeleteObject",
+        "s3:GetAccelerateConfiguration",
+        "s3:GetAccountPublicAccessBlock",
+        "s3:GetBucketAcl",
+        "s3:GetBucketCORS",
+        "s3:GetBucketLogging",
+        "s3:GetBucketObjectLockConfiguration",
+        "s3:GetBucketOwnershipControls",
+        "s3:GetBucketPolicy",
+        "s3:GetBucketPolicyStatus",
+        "s3:GetBucketPublicAccessBlock",
+        "s3:GetBucketRequestPayment",
+        "s3:GetBucketTagging",
+        "s3:GetBucketVersioning",
+        "s3:GetBucketWebsite",
+        "s3:GetEncryptionConfiguration",
+        "s3:GetLifecycleConfiguration",
+        "s3:GetObject",
+        "s3:GetObjectLegalHold",
+        "s3:GetObjectRetention",
+        "s3:GetReplicationConfiguration",
+        "s3:ListBucket",
+        "s3:PutAccessPointPolicy",
+        "s3:PutAccountPublicAccessBlock",
+        "s3:PutBucketAcl",
+        "s3:PutBucketLogging",
+        "s3:PutBucketObjectLockConfiguration",
+        "s3:PutBucketOwnershipControls",
+        "s3:PutBucketOwnershipControls",
+        "s3:PutBucketPolicy",
+        "s3:PutBucketPublicAccessBlock",
+        "s3:PutBucketRequestPayment",
+        "s3:PutBucketTagging",
+        "s3:PutBucketVersioning",
+        "s3:PutEncryptionConfiguration",
+        "s3:PutObject",
+        "s3:PutObjectAcl",
+        "s3:PutObjectLegalHold",
+        "s3:PutObjectRetention",
+        "sqs:CreateQueue",
+        "sqs:DeleteQueue"
+      ],
+      "Effect": "Allow",
+      "Resource": "*"
     }
+  ]
+}
 ```
 
+To enable the Enhanced Monitoring feature for Amazon RDS, it's necessary to grant additional permissions.
+To read about setting up and enabling Enhanced Monitoring see https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Monitoring.OS.Enabling.html
 
 ### MySQL Database for Broker State
 The broker keeps service instance and binding information in a MySQL database.