document aws permissions

_sphinx_config/pages/interaction/aws_prep.rst

@@ -0,0 +1,56 @@
+AWS Setup
+####################
+
+Security
+**********************
+
+Create a Security Group for the region
+===========================================================
+
+* Test this group!
+* Create a security group for the project/region
+
+  * inbound rules allow:
+
+    * Custom TCP, port 8000
+    * Custom TCP, port 8080
+    * HTTPS, port 80
+    * HTTPS, port 443
+    * SSH, port 22
+
+  * Consider restricting SSH to campus
+
+* or use launch-wizard-1 security group (created by some EC2 instance creation in 2023)
+
+  * inbound rules IPv4:
+
+    * Custom TCP 8000
+    * Custom TCP 8080
+    * SSH 22
+    * HTTP 80
+    * HTTPS 443
+
+  * outbound rules IPv4, IPv6:
+
+    * All traffic all ports
+
+Create an Policies for the EC2/S3 interaction
+===========================================================
+
+* Create a Policy for EC2 instance access to S3
+
+  * bison_s3_policy
+  * allowing s3:ListBucket, s3:GetBucket, s3:GetObject, and s3:object-lambda
+  * to the Bison bucket and input, output, log, and summary subfolders.
+  * Make sure to add each subfolder - permissions are not recursive.
+
+* Create a Policy for Redshift / S3 access interaction
+
+
+  2. Trusted entity type = AWS service, Use Case = S3.
+
+  3. Add permissions
+
+    * specnet_S3bucket_FullAccess
+
+  4. Save and name role (specnet_ec2_role)

aws/permissions/bison_ec2_s3_role_trust_policy.json

@@ -0,0 +1,15 @@
+{
+	"Version": "2012-10-17",
+	"Statement": [
+		{
+			"Effect": "Allow",
+			"Principal": {
+				"Service": [
+					"ec2.amazonaws.com",
+					"s3.amazonaws.com"
+				]
+			},
+			"Action": "sts:AssumeRole"
+		}
+	]
+}

aws/permissions/bison_redshift_glue_policy.json

@@ -0,0 +1,34 @@
+{
+	"Version": "2012-10-17",
+	"Statement": [
+		{
+			"Sid": "RWRedshiftData",
+			"Effect": "Allow",
+
+			"Action": [
+				"glue:CreateDatabase",
+				"glue:DeleteDatabase",
+				"glue:GetDatabase",
+				"glue:GetDatabases",
+				"glue:UpdateDatabase",
+				"glue:CreateTable",
+				"glue:DeleteTable",
+				"glue:BatchDeleteTable",
+				"glue:UpdateTable",
+				"glue:GetTable",
+				"glue:GetTables",
+				"glue:BatchCreatePartition",
+				"glue:CreatePartition",
+				"glue:DeletePartition",
+				"glue:BatchDeletePartition",
+				"glue:UpdatePartition",
+				"glue:GetPartition",
+				"glue:GetPartitions",
+				"glue:BatchGetPartition"
+			],
+			"Resource": [
+				"*"
+			]
+		}
+	]
+}

aws/permissions/bison_s3_policy.json

@@ -0,0 +1,49 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+			"Sid": "GetPublicData",
+			"Effect": "Allow",
+			"Action": [
+				"s3:GetBucketLocation",
+				"s3:GetObject",
+				"s3:ListMultipartUploadParts",
+				"s3:ListBucket",
+				"s3:ListBucketMultipartUploads"
+			],
+			"Resource": [
+				"*"
+			]
+		},
+        {
+			"Sid": "RWBisonData",
+            "Effect": "Allow",
+            "Action": [
+                "s3:GetBucket*",
+                "s3:ListBucket*",
+                "s3:ListAllMyBuckets",
+                "s3:ListBucketMultipartUploads",
+                "s3:PutBucketAcl",
+                "s3:PutBucketCors",
+
+                "s3:GetObject",
+                "s3:PutObject",
+                "s3:DeleteObject",
+
+                "s3:GetEncryptionConfiguration",
+                "s3:ListMultipartUploadParts",
+                "s3:AbortMultipartUpload",
+
+                "s3-object-lambda:*"
+            ],
+            "Resource": [
+                "arn:aws:s3:::bison-321942852011-us-east-1",
+                "arn:aws:s3:::bison-321942852011-us-east-1/*",
+                "arn:aws:s3:::bison-321942852011-us-east-1/input/*",
+                "arn:aws:s3:::bison-321942852011-us-east-1/output/*",
+                "arn:aws:s3:::bison-321942852011-us-east-1/summary/*",
+                "arn:aws:s3:::bison-321942852011-us-east-1/log/*"
+            ]
+        }
+    ]
+}

aws/permissions/roles.txt

@@ -0,0 +1,17 @@
+bison_redshift_s3_role:
+
+* Trusted entity type: AWS Service
+* for Redshift - Customizable
+* TODO: change to Redshift - Scheduler when automated
+* bison_s3_policy (read public/GBIF S3 data and read/write bison S3 data)
+* bison_redshift_glue_policy.json (for Redshift interactions)
+* AmazonRedshiftAllCommandsFullAccess (AWS managed)
+* AmazonS3FullAccess (AWS managed)
+
+bison_ec2_s3_role:
+
+* Trusted entity type: AWS Service
+* for S3
+* bison_s3_policy.json (read public/GBIF S3 data and read/write bison S3 data)
+* SecretsManagerReadWrite (AWS managed)
+* bison_ec2_s3_role_trust_policy.json edit trust policy for both ec2 and s3

requirements.txt

@@ -1,11 +1,11 @@
 # gdal (must be in system python, fails in virtenv)
 flask
-gunicorn==20.1.0
+gunicorn>=22.0.0
 numpy
 scipy
 pandas
 requests
-Werkzeug==2.2.2
+Werkzeug>=3.0.3
 rtree
 # AWS
 awscli