Document toolboxDocument toolbox

Modifying Kyvos Role for Kyvos Cloud DR Deployment

Owned by Sarabjeet Kaur
Last updated: Oct 27, 2023
2 min read

Applies to: Kyvos Enterprise Kyvos Cloud (SaaS on AWS) Kyvos AWS Marketplace

Kyvos Azure Marketplace Kyvos GCP Marketplace Kyvos Single Node Installation (Kyvos SNI)

Note

This is applicable only for the Disaster Recovery (DR) deployment scenario for Kyvos Cloud 2023.2.x

In a Disaster Recovery (DR) deployment scenario for Kyvos Cloud 2023.2, modifying the KyvosAutomationRole from the AWS Management Console becomes necessary.

The modification involves updating the existing condition in the KyvosAutomationRole policy for the statement Ec2StartStopKyvos to ensure that the start/stop/describe actions can be performed on DR deployment instances by KyvosAutomationRole. 

In earlier versions, the condition used the "ec2:ResourceTag/UsedBy" tag with the value "Kyvos" to allow access. However, it was discovered that this condition also provided permissions to instances from other stacks, which was unintended. To correct this, the condition is based on the stack name, which ensures that the permissions are restricted to only intended instances. 

By incorporating the changes in the policy, the role will be able to manage the EC2 instances of DR deployment. 

Steps to Modify Role 

  1. Step 1: Access the AWS Management Console:
    Open the AWS Management Console using your AWS account credentials. 

  2. Step 2: Navigate to the IAM Service:
    Within the AWS Management Console, navigate to the IAM (Identity and Access Management) service. 

  3. Step 3: Locate the Kyvos Role:
    In the IAM service, locate the IAM role with the name "InstanceIamRole-StackName-CustomerAWSAccountId" associated with Kyvos. 

  4. Step 4: Edit the Kyvos Role:
    Select the Kyvos IAM role from the list to access its details.

  5. Step 5: Modify the Kyvos Policy:
    Within the Kyvos role, find the "kyvos-policy" and click on it to edit the policy.

  6. Step 6: Locate the "Ec2StartStopKyvos" Statement:
    Scroll through the policy document and locate the statement with the "Sid": "Ec2StartStopKyvos".

  7. Step 7: Update the Condition:
    Within the "Ec2StartStopKyvos" statement, modify the "Condition" section as follows:
    Replace the existing condition related to the stack name with the desired DR stack name.
    Example: 

    "Condition": {    "StringEqualsIgnoreCase": {       "ec2:ResourceTag/aws:cloudformation:stack-name": "CustomerStack-DR"    }  }

    By updating the condition with the desired DR stack name, the Kyvos role will grant start/stop actions only to the instances associated with the specific DR deployment, as intended. 

  8. Step 8: Save the Policy:
    After making the necessary changes, save the updated policy.

  9. Step 9: Apply the Modified Role:
    Once the policy is saved, the modified Kyvos role will automatically take effect. Now this role will have the permissions to start/stop/describe EC2 instances of DR deployment. 

Copyright Kyvos, Inc. All rights reserved.