Support
Accounts & Users
Backup
Blueprints
Lumen Private Cloud on VMware Cloud Foundation
Cloud Application Manager
Administering Your Organization
Analytics
Automating Deployments
Billing
Cloud Optimization
Core Concepts
DR Readiness
Deploying Anywhere
FAQ
Getting Started
Integrating with Jenkins
Managed Services
Monitoring
Troubleshooting
Tutorials
Edge Computing Solutions
Compliance
Control Portal
Database
Dedicated Cloud Compute
Disaster Recovery
Overview
SafeHaven 4
SafeHaven 5 CLC to AWS
SafeHaven 5 CLC to Azure
SafeHaven 5 CLC to CLC
SafeHaven 5 CPC-vCF to CLC
SafeHaven 5 General
SafeHaven 5 Manual to AWS
SafeHaven 5 VMware to AWS
SafeHaven Migration
General
Managed Services
Marketplace
Network
Release Notes
Runner
Security
Servers
Service Tasks
Storage
Support
Accounts & Users
Backup
Blueprints
Lumen Private Cloud on VMware Cloud Foundation
Cloud Application Manager
Administering Your Organization
Analytics
Automating Deployments
Billing
Cloud Optimization
Core Concepts
DR Readiness
Deploying Anywhere
FAQ
Getting Started
Integrating with Jenkins
Managed Services
Monitoring
Troubleshooting
Tutorials
Edge Computing Solutions
Compliance
Control Portal
Database
Dedicated Cloud Compute
Disaster Recovery
Overview
SafeHaven 4
SafeHaven 5 CLC to AWS
SafeHaven 5 CLC to Azure
SafeHaven 5 CLC to CLC
SafeHaven 5 CPC-vCF to CLC
SafeHaven 5 General
SafeHaven 5 Manual to AWS
SafeHaven 5 VMware to AWS
SafeHaven Migration
General
Managed Services
Marketplace
Network
Release Notes
Runner
Security
Servers
Service Tasks
Storage
Updated by Chris Meyer on May 07, 2018
Article Code: kb/1038
Content
- Overview
- AWS Configuration Requirements
- AWS Managed Services Anywhere IAM Policy
- Supporting AWS Accounts in an Organization
Overview
This KB details the requirements of Lumen's Managed Services Anywhere (MSA) offering with customer provided AWS accounts.
AWS Configuration Requirements
- AWS IAM ARN with policy permissions applied
- Apply ARN to CAM provider that has been enabled for Managed Services Anywhere
- AWS Cost Explorer functionality enabled
- Enable AWS IAM profiles to access billing data
AWS Managed Services Anywhere IAM Policy
The below AWS IAM Policy is required for Managed Services Providers to provide access to review and take action on a customers behalf.
Customers are encouraged to create a separate IAM policy and add it to the existing Cloud Application Manager's Application Life Cycle management role as described here
Managed Services Anywhere AWS IAM Policy (as of May 7st, 2018)
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"organizations:*",
"rds:*",
"cloudtrail:*",
"logs:*",
"autoscaling:*",
"ds:*",
"servicediscovery:*",
"cloudfront:*",
"route53domains:*",
"kms:*",
"events:*",
"directconnect:*",
"s3:*",
"cloudformation:*",
"elasticloadbalancing:*",
"autoscaling-plans:*",
"iam:*",
"trustedadvisor:*",
"cloudwatch:*",
"waf:*",
"ec2:*",
"waf-regional:*",
"ce:*",
"elasticache:*",
"acm:*",
"support:*",
"sts:AssumeRole"
],
"Resource": "*"
}
]
}
Supporting AWS Accounts in an Organization
- We support managed AWS accounts that are under an AWS Organization assuming the same requirements as independent accounts are meet at the Organizational account level.