Merge pull request #1546 from redis/AdarBahar-patch-2

cmilesb · web-flow · commit c26c6d954c28 · 2025-05-12T09:43:37.000-04:00
Update aws-console.md
diff --git a/content/operate/rc/subscriptions/bring-your-own-cloud/cloud-account-settings.md b/content/operate/rc/subscriptions/bring-your-own-cloud/cloud-account-settings.md
@@ -8,6 +8,10 @@ categories:
 description: null
 hideListLinks: true
 weight: 2
+aliases:
+  - /operate/rc/how-to/view-edit-cloud-account/cloud-account-settings
+  - /operate/rc/cloud-accounts/cloud-account-settings
+  - /operate/rc/cloud-integrations/aws-cloud-accounts/cloud-account-settings
 ---
 
 Redis Cloud Bring your own Cloud (BYOC) lets you use your own cloud infrastructure to deploy Redis Cloud.
diff --git a/content/operate/rc/subscriptions/bring-your-own-cloud/iam-resources/_index.md b/content/operate/rc/subscriptions/bring-your-own-cloud/iam-resources/_index.md
@@ -8,6 +8,10 @@ description: null
 hideListLinks: true
 linkTitle: Create IAM resources
 weight: 1
+aliases:
+  - /operate/rc/how-to/view-edit-cloud-account/iam-resources
+  - /operate/rc/cloud-accounts/iam-resources
+  - /operate/rc/cloud-integrations/aws-cloud-accounts/iam-resources
 ---
 For Redis Cloud Bring your Own Cloud (BYOC) on Amazon Web Services (AWS), we manage the supporting infrastructure for you in dedicated AWS accounts.
 
diff --git a/content/operate/rc/subscriptions/bring-your-own-cloud/iam-resources/aws-console.md b/content/operate/rc/subscriptions/bring-your-own-cloud/iam-resources/aws-console.md
@@ -7,6 +7,10 @@ categories:
 - operate
 - rc
 weight: $weight
+aliases:
+  - /operate/rc/how-to/view-edit-cloud-account/iam-resources/aws-console
+  - /operate/rc/cloud-accounts/iam-resources/aws-console
+  - /operate/rc/cloud-integrations/aws-cloud-accounts/iam-resources/aws-console
 ---
 Follow these steps to manually create IAM resources using the [AWS console](https://console.aws.amazon.com/).
 
@@ -26,7 +30,7 @@ Follow the steps to [create an IAM policy using the JSON editor](https://docs.aw
 
     {{< expand "View RedisLabsInstanceRolePolicy.json" >}}
 ```js
-{
+ {
     "Version": "2012-10-17",
     "Statement": [
         {
@@ -84,19 +88,19 @@ Follow the steps to [create an IAM policy using the JSON editor](https://docs.aw
             ]
         },
         {
-            "Sid": "TagResourcesDelete",
-            "Effect": "Allow",
-            "Action": [
+          "Sid": "TagResourcesDelete",
+          "Effect": "Allow",
+          "Action": [
                 "ec2:DeleteTags"
-            ],
-            "Resource": [
+          ],
+          "Resource": [
                 "*"
-            ],
-            "Condition": {
-                "StringEquals": {
-                    "ec2:ResourceTag/RedisLabsIdentifier": "Redislabs-VPC"
-                }
-            }
+          ],
+          "Condition": {
+              "StringEquals": {
+                  "ec2:ResourceTag/RedisLabsIdentifier": "Redislabs-VPC"
+              }
+          }
         }
     ]
 }
@@ -152,7 +156,11 @@ Follow the steps to [create an IAM policy using the JSON editor](https://docs.aw
                 "ec2:DescribeInternetGateways",
                 "ec2:DescribeImages",
                 "ec2:DescribeTransitGatewayVpcAttachments",
-                "ec2:DescribeVpcPeeringConnections"
+                "ec2:DescribeVpcPeeringConnections",
+                "ec2:DescribeKeyPairs",
+                "ec2:DescribeTransitGateways",
+                "ec2:DescribeInstanceStatus",
+                "ec2:DescribeNetworkAcls"
             ],
             "Resource": "*"
         },
@@ -164,12 +172,7 @@ Follow the steps to [create an IAM policy using the JSON editor](https://docs.aw
                 "cloudwatch:Get*",
                 "cloudwatch:List*"
             ],
-            "Resource": "*",
-            "Condition": {
-                "StringEquals": {
-                    "ec2:ResourceTag/RedisLabsIdentifier": "Redislabs-VPC"
-                }
-            }
+            "Resource": "*"
         },
         {
             "Sid": "IamUserOperations",
@@ -182,27 +185,26 @@ Follow the steps to [create an IAM policy using the JSON editor](https://docs.aw
             "Resource": "arn:aws:iam::*:user/${aws:username}"
         },
         {
-            "Sid": "PassRlClusterNodeRole",
-            "Effect": "Allow",
-            "Action": "iam:PassRole",
-            "Resource": "arn:aws:iam::*:role/redislabs-cluster-node-role"
-        },
-        {
-            "Sid": "IAMRoleReadAccess",
-            "Effect": "Allow",
+            "Sid": "RolePolicyUserReadActions",
             "Action": [
                 "iam:GetRole",
                 "iam:GetPolicy",
+                "iam:ListUsers",
+                "iam:ListPolicies",
                 "iam:ListRolePolicies",
                 "iam:ListAttachedRolePolicies",
                 "iam:ListInstanceProfiles",
                 "iam:ListInstanceProfilesForRole",
                 "iam:SimulatePrincipalPolicy"
             ],
-            "Resource": [
-                "arn:aws:iam::*:role/Redislabs-*",
-                "arn:aws:iam::*:policy/Redislabs-*"
-            ]
+            "Effect": "Allow",
+            "Resource": "*"
+        },
+        {
+            "Sid": "PassRlClusterNodeRole",
+            "Effect": "Allow",
+            "Action": "iam:PassRole",
+            "Resource": "arn:aws:iam::*:role/redislabs-cluster-node-role"
         },
         {
             "Sid": "CreateEc2ResourcesWithoutTag",
@@ -216,7 +218,13 @@ Follow the steps to [create an IAM policy using the JSON editor](https://docs.aw
                 "ec2:CreateSecurityGroup",
                 "ec2:CreateInternetGateway",
                 "ec2:CreateRouteTable",
-                "ec2:CreateSubnet"
+                "ec2:CreateSubnet",
+                "ec2:CreateSnapshot",
+                "ec2:CreateTransitGateway",
+                "ec2:AssociateVpcCidrBlock",
+                "ec2:CreateTransitGatewayVpcAttachment",
+                "ec2:AttachInternetGateway",
+                "ec2:ReplaceRoute"
             ],
             "Resource": "*"
         },
@@ -238,19 +246,6 @@ Follow the steps to [create an IAM policy using the JSON editor](https://docs.aw
                 }
             }
         },
-        {
-            "Sid": "DenyCreateVpcWithoutRequiredTag",
-            "Effect": "Deny",
-            "Action": [
-                "ec2:CreateVpc"
-            ],
-            "Resource": "*",
-            "Condition": {
-                "Null": {
-                    "aws:RequestTag/RedisLabsIdentifier": "true"
-                }
-            }
-        },
         {
             "Sid": "AllowVpcPeeringManagement",
             "Effect": "Allow",
@@ -278,9 +273,6 @@ Follow the steps to [create an IAM policy using the JSON editor](https://docs.aw
             "Effect": "Allow",
             "Action": [
                 "ec2:CreateVolume",
-                "ec2:CreateSnapshot",
-                "ec2:ImportKeyPair",
-                "ec2:AttachInternetGateway",
                 "ec2:CreateRoute",
                 "ec2:AuthorizeSecurityGroupIngress",
                 "ec2:AuthorizeSecurityGroupEgress"
@@ -325,7 +317,6 @@ Follow the steps to [create an IAM policy using the JSON editor](https://docs.aw
                 "ec2:DeleteSecurityGroup",
                 "ec2:DeleteRouteTable",
                 "ec2:DeleteRoute",
-                "ec2:DetachInternetGateway",
                 "ec2:DeleteInternetGateway",
                 "ec2:DeleteVpc"
             ],
@@ -336,6 +327,18 @@ Follow the steps to [create an IAM policy using the JSON editor](https://docs.aw
                 }
             }
         },
+        {
+            "Sid": "DeleteEc2ResourcesWithoutTag",
+            "Effect": "Allow",
+            "Action": [
+                "ec2:RevokeSecurityGroupIngress",
+                "ec2:RejectVpcPeeringConnection",
+                "ec2:DeleteTransitGatewayVpcAttachment",
+                "ec2:DeleteTransitGateway",
+                "ec2:DetachInternetGateway"
+            ],
+            "Resource": "*"
+        },
         {
             "Sid": "CreateAndChangeServiceLinkedRoleForTransitGateway",
             "Effect": "Allow",
@@ -348,12 +351,37 @@ Follow the steps to [create an IAM policy using the JSON editor](https://docs.aw
             }
         },
         {
+            "Sid": "RolePolicyForTransitGateway",
             "Effect": "Allow",
             "Action": [
                 "iam:AttachRolePolicy",
                 "iam:PutRolePolicy"
             ],
             "Resource": "arn:aws:iam::*:role/aws-service-role/transitgateway.amazonaws.com/AWSServiceRoleForVPCTransitGateway*"
+        },
+        {
+            "Sid": "AllowEncryptedVolumeCreation",
+            "Effect": "Allow",
+            "Action": [
+                "kms:GenerateDataKeyWithoutPlaintext",
+                "kms:DescribeKey"
+            ],
+            "Resource": "*"
+        },
+        {
+            "Sid": "AllowAttachDetachOfEncryptedVolumes",
+            "Effect": "Allow",
+            "Action": [
+                "kms:CreateGrant",
+                "kms:ListGrants",
+                "kms:RevokeGrant"
+            ],
+            "Resource": "*",
+            "Condition": {
+                "Bool": {
+                    "kms:GrantIsForAWSResource": "true"
+                }
+            }
         }
     ]
 }
diff --git a/content/operate/rc/subscriptions/bring-your-own-cloud/iam-resources/cloudformation.md b/content/operate/rc/subscriptions/bring-your-own-cloud/iam-resources/cloudformation.md
@@ -7,6 +7,10 @@ categories:
 - operate
 - rc
 linkTitle: CloudFormation
+aliases:
+  - /operate/rc/how-to/view-edit-cloud-account/iam-resources/cloudformation
+  - /operate/rc/cloud-accounts/iam-resources/cloudformation
+  - /operate/rc/cloud-integrations/aws-cloud-accounts/iam-resources/cloudformation
 ---
 You can use [AWS CloudFormation](https://aws.amazon.com/cloudformation/) to create the IAM resources for Redis Cloud Bring your Own Cloud (BYOC).
 
diff --git a/content/operate/rc/subscriptions/bring-your-own-cloud/iam-resources/terraform.md b/content/operate/rc/subscriptions/bring-your-own-cloud/iam-resources/terraform.md
@@ -7,6 +7,10 @@ categories:
 - operate
 - rc
 linkTitle: Terraform
+aliases:
+  - /operate/rc/how-to/view-edit-cloud-account/iam-resources/terraform
+  - /operate/rc/cloud-accounts/iam-resources/terraform
+  - /operate/rc/cloud-integrations/aws-cloud-accounts/iam-resources/terraform
 ---
 You can use [HashiCorp Terraform](https://www.terraform.io/intro/index.html) to create identity and access management (IAM) resources to support AWS cloud account access to Redis Cloud subscriptions.
 
diff --git a/content/operate/rc/subscriptions/bring-your-own-cloud/subscription-whitelist.md b/content/operate/rc/subscriptions/bring-your-own-cloud/subscription-whitelist.md
@@ -9,6 +9,10 @@ description: The CIDR allow list permits traffic between a range of IP addresses
   the Redis Cloud VPC.
 linkTitle: Subscription CIDR allow list
 weight: $weight
+aliases:
+  - /operate/rc/how-to/view-edit-cloud-account/subscription-whitelist
+  - /operate/rc/cloud-accounts/subscription-whitelist
+  - /operate/rc/cloud-integrations/aws-cloud-accounts/subscription-whitelist
 ---
 
 The [CIDR](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) [allow list](https://en.wikipedia.org/wiki/Whitelist) lets you restrict traffic to your Redis Cloud database. When you configure an allow list, only the [IP addresses](https://en.wikipedia.org/wiki/IP_address) defined in the list can connect to the database. Traffic from all other IP addresses is blocked.
