Amazon Web Services (AWS)

There are two users:

  • An operational user, used by the application

  • An administrative user, used by consultants

CloudWatch

Access our metrics.

Safe permissions

Only the administrative user has these.

  • cloudwatch:ListMetrics

  • cloudwatch:GetMetricData

CloudWatch Logs

Only the administrative user has these. This builds on the IAM policy example:

  • Log groups

    • logs:CreateLogGroup (added)

    • logs:DescribeLogGroups

    • logs:DeleteLogGroup (added)

  • Log streams

    • logs:CreateLogStream

    • logs:DescribeLogStreams (added)

    • logs:DeleteLogStream (added)

  • Log deliveries

    • logs:CreateLogDelivery

    • logs:ListLogDeliveries

    • logs:GetLogDelivery

    • logs:UpdateLogDelivery

    • logs:DeleteLogDelivery

  • Log events

    • logs:PutLogEvents

    • logs:GetLogEvents (added)

    • logs:FilterLogEvents (added)

  • Resource policies

    • logs:PutResourcePolicy

    • logs:DescribeResourcePolicies

    • logs:DeleteResourcePolicy (added)

See also

Actions defined by Amazon CloudWatch Logs

Cognito

The operational user has access to the development and production user pools. The administrative user has access to the development user pool only. All permissions are unsafe.

  • cognito-idp:AdminCreateUser

  • cognito-idp:AdminSetUserPassword

  • cognito-idp:AdminResetUserPassword

  • cognito-idp:AdminUpdateUserAttributes

  • cognito-idp:AdminInitiateAuth

  • cognito-idp:AdminUserGlobalSignOut

Simple Email Service (SES)

Configuration sets

Only the administrative user has these.

Safe permissions

  • ses:ListConfigurationSets

  • ses:GetConfigurationSet

  • ses:GetConfigurationSetEventDestinations

Unsafe permissions

This follows Monitor email sending using Amazon SES event publishing:

  • Configuration sets (Step 1)

    • ses:CreateConfigurationSet

    • ses:DeleteConfigurationSet (added)

    • ses:TagResource (added, required to create configuration set)

  • Destinations (Step 2, linking to permissions)

    • ses:CreateConfigurationSetEventDestination

    • ses:UpdateConfigurationSetEventDestination

    • ses:DeleteConfigurationSetEventDestination

Templates

Safe permissions

Both users have:

  • ses:ListTemplates

  • ses:GetTemplate

  • ses:TestRenderTemplate

Unsafe permissions

Only the administrative user has:

  • ses:CreateTemplate

  • ses:UpdateTemplate

  • ses:DeleteTemplate

Sending

Unsafe permissions

Both users have:

  • ses:SendEmail

  • ses:SendRawEmail

Both users have these, which are constrained to credere-* templates, the credere configuration set and the credere@noreply.open-contracting.org identity:

  • ses:SendTemplatedEmail

  • ses:SendBulkTemplatedEmail