Clarified IAM docs section from the OSS version + added policy example (

gravitational#3073) * Clarified IAM docs section + added policy example * Added IAM for DynamoDB to docs
ollyg · Oct 18, 2019 · cf56cff · cf56cff
1 parent c2f656c
commit cf56cff
Showing 1 changed file with 61 additions and 0 deletions.
diff --git a/docs/4.1/aws_oss_guide.md b/docs/4.1/aws_oss_guide.md
@@ -119,6 +119,67 @@ proxy and provides the TCP connections needed for Teleport proxy SSH connections
 IAM is the recommended tool for creating service access. This guide will follow the 
 best practice of principle of least privilege (PoLP). 
 
+#### IAM for Amazon S3
+
+In order to grant an IAM user in your AWS account access to one of your buckets, `example.s3.bucket` you will need to grant the following permissions: `s3:ListBucket`, `s3:ListBucketVersions`, `s3:PutObject`, `s3:GetObject`, `s3:GetObjectVersion`
+
+An example policy is shown below:
+
+```
+{
+   "Version": "2012-10-17",
+   "Statement": [
+     {
+       "Effect": "Allow",
+       "Action": [
+         "s3:ListBucket",
+         "s3:ListBucketVersions"
+        ],
+       "Resource": ["arn:aws:s3:::example.s3.bucket"]
+     },
+     {
+       "Effect": "Allow",
+       "Action": [
+         "s3:PutObject",
+         "s3:GetObject",
+         "s3:GetObjectVersion"
+       ],
+       "Resource": ["arn:aws:s3:::example.s3.bucket/*"]
+     }
+   ]
+ }
+```
+!!! note "Note":
+    `example.s3.bucket` will need to be replaced with your bucket name. 
+
+#### IAM for DynamoDB
+
+In order to grant an IAM user access to DynamoDB make sure that the IAM role assigned to Teleport is configured with proper permissions. 
+
+An example policy is shown below:
+
+```
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "AllAPIActionsOnTeleportAuth",
+            "Effect": "Allow",
+            "Action": "dynamodb:*",
+            "Resource": "arn:aws:dynamodb:eu-west-1:123456789012:table/prod.teleport.auth"
+        },
+        {
+            "Sid": "AllAPIActionsOnTeleportStreams",
+            "Effect": "Allow",
+            "Action": "dynamodb:*",
+            "Resource": "arn:aws:dynamodb:eu-west-1:123456789012:table/prod.teleport.auth/stream/*"
+        }
+    ]
+}
+```
+!!! note "Note":
+    `eu-west-1:123456789012:table/prod.teleport.auth` will need to be replaced with your DynamoDB instance.
+
 ### ACM 
 With AWS Certificate Manager, you can quickly request SSL/TLS certificates.