-
Notifications
You must be signed in to change notification settings - Fork 15
Recommended AWS Configuration
This page presents the recommended setup, in ascending order of complexity. Steps 1 & 2 are the most important.
Make sure you don't reuse your own AWS credentials for PullPreview. You should create a dedicated IAM user (e.g. pullpreview) with programmatic access only.
If you cannot create a new user, then at least make sure to create a secondary key and use that. This way you can disable it easily should anything happen.
The next step would be to assign a more restricted IAM Policy to the IAM User. PullPreview only requires access to Lightsail resources, therefore the recommended IAM Policy to assign to the User would be the following:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"lightsail:*"
],
"Resource": "*"
}
]
}
When this is done, make sure to remove any other IAM Policy associated with the IAM User.
For security and billing reasons, you may also want to create an AWS sub-account dedicated to your review environments. Sub-accounts can be accessed from your primary account by switching roles, and billing charges can be shown per-account in the consolidated billing, which is pretty convenient.
If you are using an AWS sub-account, then you will need to create the IAM User and Policy in that account.