Setting up AWS integration in Ploy in order to manage users and access to critical services provided by Amazon Web Services (AWS).

Intended purpose of this document is to setup an AWS integration in Ploy. This guide will require you to be able to create IAM Roles for your AWS account so before you continue make sure you have proper access to the console.

We have provided a set of permissions that are a sensible start for Ploy to have, but make sure to check the implications before you apply them. As we do not modify the roles on AWS, future changes will have to be done by you.

Getting started

Navigate to your organisations integrations page and click "Setup" under the Amazon Web Services integration to get started.

https://downloads.intercomcdn.com/i/o/lk3zeqoc/1206951763/d61a19a397164d37f9c02e0ddb0c/CleanShot+2024-10-07+at+10_23_54.png?expires=1734566400&signature=f7cd80de6ef333246c859ad81c2b177c45b6a0f38f565ab597c0a0dadd3e8615&req=dSInEMB7nIZZWvMW3nq%2BgbXJLwRyjjtfNimVnVuz5Moqhlb5ipoCz2Sw%2FSiu EHq6cPXYLDuWBU00cRBCUgtCTvU%3D

This will open a multi step integration wizard asking you for crucial details about your AWS account:

Please note down the External ID as this is the secret we will use when communication with your AWS account.

Setting up an IAM role

The next step of the configuration is adding a role that Ploy is going to use when interacting with your AWS account.

Please click on the "Open AWS Console" button or here. On the AWS console make sure that Trusted entity type selected is AWS account.

https://downloads.intercomcdn.com/i/o/lk3zeqoc/1206970960/ca8afc81c06612543b22cf975b2c/CleanShot+2024-10-07+at+10_40_41.png?expires=1734566400&signature=64ca8f8c69ff7f1dd92d7a77d36894f32de0c8d6b0ec1fc162c84a26b1bff6ab&req=dSInEMB5nYhZWfMW3nq%2BgYMyt4wKP7gJ0eU40ztYEut1KuyVRoTlCcSFcNL0 m6%2BI5%2BqQ9LOA%2FVj6N1ViA7Trn8s%3D

And in the next part of the wizard make sure to enter Ploys account AWS ID: 010526237970.

Select the Require external ID option and enter the ID from the previous step.

https://downloads.intercomcdn.com/i/o/lk3zeqoc/1206974120/939f28d9183941140e27b81ee7fa/CleanShot+2024-10-07+at+10_41_47.png?expires=1734566400&signature=cc61571f2469e16a249da7480f86d9314b383659800d63b84c86a07356dc6fff&req=dSInEMB5mYBdWfMW3nq%2Bgf50ISALlTi9B54bWh3MeUWFmHZUVG2riMZ%2FiCgS 8Av1f25Kf4%2B9VWr%2FInKaSU%2FHopQ%3D

Selecting permissions

Ploy will require a couple of permissions from you:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "dynamodb:ListTables"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "sqs:ListQueues"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "lambda:ListFunctions"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:GetAccountAuthorizationDetails",
                "iam:ListRoles",
                "iam:ListUsers",
                "iam:ListPolicies",
                "iam:ListGroups"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "sso:ListInstances"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "identitystore:ListUsers",
                "identitystore:ListGroups",
                "identitystore:ListGroupMemberships",
                "identitystore:DescribeUser",
                "identitystore:CreateGroupMembership",
                "identitystore:GetGroupMembershipId",
                "identitystore:DeleteGroupMembership"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "sso:ListAccountAssignmentsForPrincipal",
                "sso:ListPermissionSets",
                "sso:DescribePermissionSet",
                "sso:ListCustomerManagedPolicyReferencesInPermissionSet",
                "sso:ListManagedPoliciesInPermissionSet"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "rds:DescribeDBInstances",
                "rds:ListTagsForResource"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeInstances",
                "ec2:DescribeTags"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ecs:DescribeClusters",
                "ecs:ListTagsForResource",
                "ecs:ListClusters"
            ],
            "Resource": "*"
        }
    ]
}