AWS - Integration & Permissions Configuration

  1. Log in to the AWS management console and open the AWS IAM Console.

  2. Under Roles select "Create Role"

  3. Under "Trusted Entity Type" Select "AWS Account" and chose "Another AWS Account"

  4. Enter the AWS account ID you will be provided in app (hit 'Click for instructions' from the Add provider page).

  5. Check "Require External ID" and enter the extenral ID provided in the app (hit 'Click for instructions' from the Add provider page).

  6. Ensure that "Require MFA" is un-checked and click "Next"

  7. Add the following standardrole:

arn:aws:iam::aws:policy/ReadOnlyAccess

  1. Add the following custom policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowTurnitoffManagement",
            "Effect": "Allow",
            "Action": [
                "ec2:StopInstances",
                "ec2:AssociateAddress",
                "ec2:DisassociateAddress",
                "ec2:StartInstances",
                "elasticloadbalancing:RegisterTargets",
                "elasticloadbalancing:DeregisterTargets",
                "rds:StartDBInstance",
                "rds:StopDBInstance",
                "elasticbeanstalk:UpdateEnvironment",
                "ecs:UpdateService",
                "autoscaling:UpdateAutoScalingGroup",
                "autoscaling-plans:UpdateScalingPlan",
                "ec2:CreateTags",
                "kms:CreateGrant"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowTerminateInstances",
            "Effect": "Allow",
            "Action": "ec2:TerminateInstances",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "ec2:ResourceTag/ManagedBy": "Turnitoff.ai"
                }
            }
        },
        {
            "Sid": "AllowRunInstancesRestrictByInstanceTag",
            "Effect": "Allow",
            "Action": [
                "ec2:RunInstances"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:instance/*"
            ],
            "Condition": {
                "ForAnyValue:StringEquals": {
                    "aws:RequestTag/ManagedBy": "Turnitoff.ai"
                }
            }
        },
        {
            "Sid": "AllowRunInstances",
            "Effect": "Allow",
            "Action": [
                "ec2:RunInstances",
                "ec2:CreateVolume"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:subnet/*",
                "arn:aws:ec2:*:*:key-pair/*",
                "arn:aws:ec2:*::snapshot/*",
                "arn:aws:ec2:*:*:security-group/*",
                "arn:aws:ec2:*:*:network-interface/*",
                "arn:aws:ec2:*::image/*",
                "arn:aws:ec2:*:*:volume/*",
                "arn:aws:ec2:*:*:network-interface/*"
            ]
        }
    ]
}

  1. Select the role, copy the Role ARN from the summary page and paste into the "Role ARN" field in the Turn It Off app.

PreviousAWS Supported ResourcesNextMicrosoft Azure

Last updated