diff --git a/content/operate/rc/accounts/account-settings.md b/content/operate/rc/accounts/account-settings.md index 9d8547220..f79d3898c 100644 --- a/content/operate/rc/accounts/account-settings.md +++ b/content/operate/rc/accounts/account-settings.md @@ -20,7 +20,7 @@ The available tabs depend on your subscription type and may include: - The **Account** tab displays basic information associated with your account, including general info, address details, time zone setting, security settings, and provider integration details. -- The **Cloud Account** tab is displayed if you have self-hosted Pro subscriptions on Amazon Web Services (AWS). To learn more, see [Manage AWS cloud accounts]({{< relref "/operate/rc/cloud-integrations/aws-cloud-accounts/" >}}). +- The **Cloud Account** tab is displayed for Redis Cloud Pro subscriptions hosted on Amazon Web Services (AWS). To learn more, see [Bring your own Cloud]({{< relref "/operate/rc/subscriptions/bring-your-own-cloud/" >}}). - The **Integrations** tab lets you manage certain integrations. For more information on the Confluent Cloud integration, see [Use the Redis Sink Confluent Connector]({{< relref "/integrate/confluent-with-redis-cloud/" >}}). diff --git a/content/operate/rc/cloud-integrations/aws-cloud-accounts/iam-resources/aws-console.md b/content/operate/rc/cloud-integrations/aws-cloud-accounts/iam-resources/aws-console.md deleted file mode 100644 index 640700a28..000000000 --- a/content/operate/rc/cloud-integrations/aws-cloud-accounts/iam-resources/aws-console.md +++ /dev/null @@ -1,217 +0,0 @@ ---- -LinkTitle: AWS console -Title: Create IAM resources using AWS console -alwaysopen: false -categories: -- docs -- operate -- rc -weight: $weight ---- -To manually create IAM resources using the [AWS console](https://console.aws.amazon.com/), follow these steps. - -## Step 1: Create the IAM instance policy - -First, create a policy to use for the new instance role: - - - -1. In the AWS IAM console, go to **Policies** > **Create policy**. -1. In the **JSON** tab, paste the contents of the RedisLabsInstanceRolePolicy.json policy file, shown here: - - {{< expand "View RedisLabsInstanceRolePolicy.json" >}} -```js -{ - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "Ec2DescribeAll", - "Effect": "Allow", - "Action": "ec2:Describe*", - "Resource": "*" - }, - { - "Sid": "GetUserInfo", - "Effect": "Allow", - "Action": [ - "iam:GetUser", - "iam:GetUserPolicy" - ], - "Resource": "arn:aws:iam::*:user/${aws:username}" - }, - { - "Sid": "RolePolicyUserReadActions", - "Effect": "Allow", - "Action": [ - "iam:GetRole", - "iam:GetPolicy", - "iam:ListUsers", - "iam:ListPolicies", - "iam:ListRolePolicies", - "iam:ListAttachedRolePolicies", - "iam:ListInstanceProfiles", - "iam:ListInstanceProfilesForRole", - "iam:SimulatePrincipalPolicy" - ], - "Resource": "*" - }, - { - "Sid": "KeyPairActions", - "Effect": "Allow", - "Action": [ - "ec2:CreateKeyPair", - "ec2:DeleteKeyPair", - "ec2:ImportKeyPair" - ], - "Resource": "*" - }, - { - "Sid": "CreateInstancesSnapshotsVolumesAndTags", - "Effect": "Allow", - "Action": [ - "ec2:CreateVolume", - "ec2:AttachVolume", - "ec2:StartInstances", - "ec2:RunInstances", - "ec2:CreateSnapshot", - "ec2:CreateTags", - "ec2:ModifyInstanceAttribute" - ], - "Resource": "*" - }, - { - "Sid": "PassRlClusterNodeRole", - "Effect": "Allow", - "Action": "iam:PassRole", - "Resource": "arn:aws:iam::*:role/redislabs-cluster-node-role" - }, - { - "Sid": "ResourceAccessManagerActions", - "Effect": "Allow", - "Action": [ - "ram:AcceptResourceShareInvitation", - "ram:GetResourceShares", - "ram:RejectResourceShareInvitation", - "ram:GetResourceShareInvitations", - "ram:DisassociateResourceShare" - ], - "Resource": "*" - }, - { - "Sid": "NetworkAccess", - "Effect": "Allow", - "Action": [ - "ec2:*Vpc*", - "ec2:*VpcPeering*", - "ec2:*Subnet*", - "ec2:*Gateway*", - "ec2:*Vpn*", - "ec2:*Route*", - "ec2:*Address*", - "ec2:*SecurityGroup*", - "ec2:*NetworkAcl*", - "ec2:*DhcpOptions*" - ], - "Resource": "*" - }, - { - "Sid": "DeleteInstancesVolumesSnapshotsAndTagsWithIdentiferTag", - "Effect": "Allow", - "Action": [ - "ec2:RebootInstances", - "ec2:StopInstances", - "ec2:TerminateInstances", - "ec2:DeleteSnapshot", - "ec2:DeleteVolume", - "ec2:DetachVolume", - "ec2:DeleteTags" - ], - "Resource": "*", - "Condition": { - "StringEquals": { - "ec2:ResourceTag/RedisLabsIdentifier": "Redislabs-VPC" - } - } - }, - { - "Sid": "CreateAndChangeServiceLinkedRoleForTransitGateway", - "Effect": "Allow", - "Action": "iam:CreateServiceLinkedRole", - "Resource": "arn:aws:iam::*:role/aws-service-role/transitgateway.amazonaws.com/AWSServiceRoleForVPCTransitGateway*", - "Condition": {"StringLike": {"iam:AWSServiceName": "transitgateway.amazonaws.com"}} - }, - { - "Effect": "Allow", - "Action": [ - "iam:AttachRolePolicy", - "iam:PutRolePolicy" - ], - "Resource": "arn:aws:iam::*:role/aws-service-role/transitgateway.amazonaws.com/AWSServiceRoleForVPCTransitGateway*" - } - ] -} -``` - {{< /expand >}} - - -1. Validate it and then select **Review Policy**. -1. Enter **RedisLabsInstanceRolePolicy** as the policy name and then select **Create Policy**. - -## Step 2: Create the service role - -To create the role that uses the policy: - - - -1. In the AWS IAM console, go to **Roles** and click **Create Role**. -1. Select **AWS Service** as the trusted entity, **EC2** as the service - and use case, and click **Next: Permissions**. -1. Enter `RedisLabsInstanceRolePolicy` in the search box to look up the policy we just created, - select it, and click **Next: Review**. -1. Name the role `redislabs-cluster-node-role` and click **Create Role**. - -## Step 3: Create the user policy - -Now create a policy to assign to the user: - - - -1. In the AWS IAM console, go to **Policies** > **Create policy**. -1. In the **JSON** tab, paste the contents of the RedisLabsIAMUserRestrictedPolicy.json policy file. - - {{< expand "View RedislabsIAMUserRestrictedPolicy.json" >}} -{{% code-include file="rv/RedisLabsIAMUserRestrictedPolicy.json" language="js" %}} - {{< /expand >}} - -1. Validate the policy and click **Review Policy**. -1. Enter `RedislabsIAMUserRestrictedPolicy` as the policy name and click **Create Policy**. - -## Step 4: Create the programmatic access user - -Create a user and attach the policy you created: - - - -1. In the AWS IAM console, go to **Users** > select **Add user**. -1. Name it `redislabs-user` and check only the **Programmatic access** checkbox. -1. Click **Next: Permissions**. -1. Select **Attach existing policies directly** and select - **RedislabsIAMUserRestrictedPolicy** from the list. -1. Click **Next: Review**. -1. Click **Create user**. -1. Download the user credentials and store them in a secure location. - -## Step 5: Create the console access role - -Last, create a role and attach the policy you created: - - - -1. In the AWS IAM console, go to **Roles** > select **Create role**. -1. Select **Another AWS account**. -1. Under **Account ID**, enter account number `168085023892` (Redis Cloud's AWS account). -1. Under Options, check the **Require MFA** checkbox only. *Do not check Require external ID*. -1. Click **Next: Permissions**. -1. Attach the policy **RedisLabsIAMUserRestrictedPolicy** to the role. -1. Click **Next: Review**. -1. Name the role `redislabs-role` and then click **Create role**. diff --git a/content/operate/rc/databases/configuration/high-availability.md b/content/operate/rc/databases/configuration/high-availability.md index bb264ddee..ca1067d5e 100644 --- a/content/operate/rc/databases/configuration/high-availability.md +++ b/content/operate/rc/databases/configuration/high-availability.md @@ -62,7 +62,7 @@ You can reduce network transfer costs and network latency by ensuring your Redis To specify the availability zone(s) for your cluster, [create your Pro database with custom settings]({{< relref "/operate/rc/databases/create-database/create-pro-database-new" >}}), and select *Manual Selection* under **Allowed Availability Zones** in **Advanced options**. -For Google Cloud clusters and [self-managed AWS cloud accounts]({{< relref "/operate/rc/cloud-integrations/aws-cloud-accounts/" >}}), select an availability zone from the **Zone name** list. +For Google Cloud clusters and [Redis Cloud BYOC]({{< relref "/operate/rc/subscriptions/bring-your-own-cloud/" >}}), select an availability zone from the **Zone name** list. {{Select one availability zone when Multi-AZ is turned off.}} diff --git a/content/operate/rc/databases/create-database/create-pro-database-new.md b/content/operate/rc/databases/create-database/create-pro-database-new.md index fd5f885a0..dd0c0b64e 100644 --- a/content/operate/rc/databases/create-database/create-pro-database-new.md +++ b/content/operate/rc/databases/create-database/create-pro-database-new.md @@ -129,8 +129,8 @@ The following settings are defined in the **Advanced options** of the **Setup** |---|---| | **Multi-AZ** | Determines if replication spans multiple Availability Zones, which provides automatic failover when problems occur. See [High Availability]({{< relref "/operate/rc/databases/configuration/high-availability" >}}). | | **Allowed Availability Zones** | The availability zones for your selected region.

If you choose **Manual selection**, you must select at least one zone ID from the **Zone IDs** list. For more information, see [Availability zones]({{< relref "/operate/rc/databases/configuration/high-availability#availability-zones" >}}). | -| **Cloud account** | To deploy these databases to an existing cloud account, select it here. Use the **Add** button to add a new cloud account.

(Available only if [self-managed cloud vendor accounts]({{< relref "/operate/rc/cloud-integrations/aws-cloud-accounts" >}}) are enabled) | -| **VPC configuration** | Select **In a new VPC** to deploy to a new [virtual private cloud](https://en.wikipedia.org/wiki/Virtual_private_cloud) (VPC).

To deploy these databases to an existing virtual private cloud, select **In existing VPC** and then set VPC ID to the appropriate ID value.

(Available only if [self-managed cloud vendor accounts]({{< relref "/operate/rc/cloud-integrations/aws-cloud-accounts" >}}) are enabled) | +| **Cloud account** | To deploy these databases to an existing cloud account, select it here. Use the **Add** button to add a new cloud account.

(Available only if [Redis Cloud Bring your own Cloud]({{< relref "/operate/rc/subscriptions/bring-your-own-cloud" >}}) is enabled) | +| **VPC configuration** | Select **In a new VPC** to deploy to a new [virtual private cloud](https://en.wikipedia.org/wiki/Virtual_private_cloud) (VPC).

To deploy these databases to an existing virtual private cloud, select **In existing VPC** and then set VPC ID to the appropriate ID value.

(Available only if [Redis Cloud Bring your own Cloud]({{< relref "/operate/rc/subscriptions/bring-your-own-cloud" >}}) is enabled) | | **Deployment CIDR** | The [CIDR](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) range of IP addresses for your deployment. Redis creates a new [subnet](https://en.wikipedia.org/wiki/Subnetwork) for the **Deployment CIDR** in your [virtual private cloud](https://en.wikipedia.org/wiki/Virtual_private_cloud) (VPC). It cannot overlap with the CIDR ranges of other subnets used by your account.

For deployments in an existing VPC, the **Deployment CIDR** must be within your VPC's **primary** CIDR range (secondary CIDRs are not supported). | | **Auto Tiering**| Determines if your databases are stored only in memory (RAM) or are split between memory and Flash storage (RAM+Flash). See [Auto Tiering]({{< relref "/operate/rs/databases/auto-tiering/" >}})| | **Maintenance windows** | Determines when Redis can perform [maintenance]({{< relref "/operate/rc/subscriptions/maintenance" >}}) on your databases. Select **Manual** if you want to set [manual maintenance windows]({{< relref "/operate/rc/subscriptions/maintenance/set-maintenance-windows" >}}). | diff --git a/content/operate/rc/security/aws-transit-gateway.md b/content/operate/rc/security/aws-transit-gateway.md index 1c69d8ee3..845f68eda 100644 --- a/content/operate/rc/security/aws-transit-gateway.md +++ b/content/operate/rc/security/aws-transit-gateway.md @@ -51,7 +51,7 @@ Before you can set up Transit Gateway, you need to: 1. [Create a transit gateway](https://docs.aws.amazon.com/vpc/latest/tgw/create-tgw.html) from the [AWS VPC console](https://console.aws.amazon.com/vpc/) in the same region as your database. {{< note >}} -If you have a self-managed AWS account, you will need to set its IAM Instance Policy to include Transit Gateway. See [Create IAM resources using the AWS console]({{< relref "/operate/rc/cloud-integrations/aws-cloud-accounts/iam-resources/aws-console.md" >}}) (deprecated) for more information. +If you use Redis Cloud Bring your own Cloud, you will need to set its IAM Instance Policy to include Transit Gateway. See [Create IAM resources using the AWS console]({{< relref "/operate/rc/subscriptions/bring-your-own-cloud/iam-resources/aws-console.md" >}}) for more information. {{< /note >}} ## AWS Transit Gateway diff --git a/content/operate/rc/subscriptions/bring-your-own-cloud/_index.md b/content/operate/rc/subscriptions/bring-your-own-cloud/_index.md new file mode 100644 index 000000000..085bd0e8e --- /dev/null +++ b/content/operate/rc/subscriptions/bring-your-own-cloud/_index.md @@ -0,0 +1,64 @@ +--- +LinkTitle: Bring your own Cloud +Title: Redis Cloud Bring your own Cloud +alwaysopen: false +categories: +- docs +- operate +- rc +description: Describes how to provision your Redis Cloud subscription to use an existing + cloud provider account. +bannerText: This article is for Redis Cloud Bring your Own Cloud (BYOC). If you're interested in Redis Cloud BYOC, [contact sales](https://redis.io/meeting/). +bannerChildren: true +hideListLinks: true +weight: 80 +aliases: + - /operate/rc/how-to/view-edit-cloud-account + - /operate/rc/cloud-accounts + - /operate/rc/cloud-integrations/aws-cloud-accounts +--- + +Redis Cloud Bring your own Cloud (BYOC) allows organizations to use their own cloud infrastructure to deploy Redis Cloud. + +By default, Redis is responsible for the infrastructure that runs Redis Cloud. However, if your organization has specific requirements, you may want to have more control over your data residency or security options. Redis Cloud BYOC lets you fulfill these requirements while keeping the managed service experience of Redis Cloud. Like standard Redis Cloud, Redis handles deployment, scaling, monitoring, and support, so you can focus on building applications while Redis manages the backend. + +If you're interested in Redis Cloud BYOC, [contact sales](https://redis.io/meeting/). + +## Benefits of Redis Cloud BYOC + +Redis Cloud BYOC has some benefits over standard Redis Cloud: + +- **Full Data Control**: All data stays within your environment, giving you complete control over data security and reducing risks associated with data sovereignty. +- **Simplified Compliance**: BYOC simplifies adherence to regulatory standards like GDPR, HIPAA, and compliance frameworks like SOC 2 and PCI DSS since data remains within the your own cloud account. +- **Maximize Cloud Commitments**: Infrastructure costs are billed directly through your cloud provider account, enabling you to fully utilize existing commitments. +- **Separation of Costs**: Customers pay Redis only for licensing and management, while infrastructure costs go directly to the cloud provider, offering clear visibility into each cost stream. +- **Instant Access Control**: You can revoke Redis’ access to your environment at any time, offering complete control over data and infrastructure. + +## Redis Cloud BYOC Use cases + +Consider using Redis Cloud BYOC if you have specific organizational needs or requirements, such as: + +- **Data Residency and Compliance**: Organizations operating in heavily regulated industries (such as finance, healthcare, and government) can use Redis Cloud BYOC to meet strict data residency and sovereignty requirements, ensuring sensitive data remains within their controlled environments. +- **Cloud spend optimization**: Companies with significant cloud provider commitments can use Redis Cloud BYOC to optimize their cloud spend. Since infrastructure costs are billed directly through the cloud provider, customers can fully utilize existing cloud provider discounts, improving cost efficiency. +- **Enhanced Security and Control**: Redis Cloud BYOC is ideal for organizations that require a higher degree of security and control over their data. By keeping data within your own cloud account and leveraging existing security policies, tools, and procedures on your cloud’s security infrastructure, you are able to minimize external access to your data, and adhere to more strict organizational security guidelines. + +## Set up Redis Cloud BYOC + +To set up Redis Cloud BYOC on Amazon Web Services (AWS): + +1. [Create the Identity and Access Management (IAM) resources]({{< relref "/operate/rc/subscriptions/bring-your-own-cloud/iam-resources" >}}) needed to let Redis create, monitor, and maintain deployment infrastructure. + +1. [Set your AWS Account as a BYOC Cloud account]({{< relref "/operate/rc/subscriptions/bring-your-own-cloud/cloud-account-settings" >}}) on Redis Cloud. + +## Avoid Redis Cloud BYOC service disruption {#avoid-service-disruption} + +{{< warning >}} +Failing to follow the instructions in this section will cause your databases to become inaccessible, and Redis will not be able to ensure cluster and database stability. Please read them carefully. +{{< /warning >}} + +To keep your Redis Cloud BYOC service and all databases running without issues: +- Do not stop, delete, or modify Redis-managed resources through the cloud provider - including VPCs, subnets, virtual machines, and other infrastructure. +- Do not change roles or access policies. + +If you make any infrastructure changes, whether or not they are listed above, it may violate our SLA commitments. See [Appendix 1 in our Terms of Service](https://redis.io/legal/cloud-tos/#Appendix-1) for more details. + diff --git a/content/operate/rc/cloud-integrations/aws-cloud-accounts/_index.md b/content/operate/rc/subscriptions/bring-your-own-cloud/cloud-account-settings.md similarity index 76% rename from content/operate/rc/cloud-integrations/aws-cloud-accounts/_index.md rename to content/operate/rc/subscriptions/bring-your-own-cloud/cloud-account-settings.md index b947783aa..8510aac65 100644 --- a/content/operate/rc/cloud-integrations/aws-cloud-accounts/_index.md +++ b/content/operate/rc/subscriptions/bring-your-own-cloud/cloud-account-settings.md @@ -1,41 +1,29 @@ --- -LinkTitle: AWS cloud accounts -Title: Manage AWS cloud accounts -alwaysopen: false -bannerChildren: true -bannerText: Self-managed AWS accounts are deprecated, so this article has been archived. +Title: Create and edit Cloud accounts +LinkTitle: Create and edit Cloud accounts categories: - docs - operate - rc -description: Describes how to provision your Redis Cloud subscription to use existing - cloud provider accounts. -hidden: true +description: null hideListLinks: true -weight: 40 -aliases: - - /operate/rc/how-to/view-edit-cloud-account - - /operate/rc/cloud-accounts +weight: 2 --- -Many customers use cloud provider accounts provisioned and maintained by Redis. +Redis Cloud Bring your own Cloud (BYOC) allows organizations to use their own cloud infrastructure to deploy Redis Cloud. -Customers with existing Amazon Web Services (AWS) accounts can provision their Redis Cloud Pro subscriptions to use their existing AWS accounts. - -To do so, you associate your existing AWS account as a _cloud account_ for your subscription. This requires setting up and entering credentials that enable monitoring, maintenance, and technical support of your subscription. +You can associate your existing AWS account as a _cloud account_ for your subscription. This requires setting up and entering credentials that enable monitoring, maintenance, and technical support of your subscription. To do this, you need: 1. A programmatic user with an access key and a secret access key for that user. 1. A console role that allows administrative access to the cloud account. -These resources need to exist before adding the cloud account to your subscription. To learn more, see [Create IAM resources]({{< relref "/operate/rc/cloud-integrations/aws-cloud-accounts/iam-resources" >}}). +You need to create these resources before adding the cloud account to your subscription. To learn more, see [Create IAM resources]({{< relref "/operate/rc/subscriptions/bring-your-own-cloud/iam-resources" >}}). -{{}} -Once an AWS account has been configured as a cloud account, you must _not_: -- Manually change the configuration of required resources, such as security groups
-- Manually suspend or stop (terminate) provisioned resources
-{{}} +{{}} +After an AWS account has been configured as a cloud account, you **must not** change the configurations of provisioned resources or stop or terminate provisioned instances. If you do, your databases will be inaccessible and Redis will not be able to ensure database stability. See [Avoid service disruption]({{< relref "/operate/rc/subscriptions/bring-your-own-cloud/cloud-account-settings#avoid-service-disruption" >}}) for more details. +{{}} ## View cloud account settings @@ -88,7 +76,7 @@ If the **Add account** button is inactive, verify that: - The resources exist in your AWS account - Each resource provides the required level of access -For help, see [Create IAM resources]({{< relref "/operate/rc/cloud-integrations/aws-cloud-accounts/iam-resources" >}}). +For help, see [Create IAM resources]({{< relref "/operate/rc/subscriptions/bring-your-own-cloud/iam-resources" >}}). ## Edit cloud account details @@ -112,7 +100,7 @@ Use the **Update account** button to save your changes. {{Use the Update account button to save the updated cloud account details.}} -## Delete cloud account details +## Delete cloud account To remove a cloud account from your Redis cloud subscription, select the cloud account from the **Cloud account** tab and then select the **Delete** button. @@ -122,4 +110,4 @@ To remove a cloud account from your Redis cloud subscription, select the cloud a We strongly recommend using dedicated identity and access management (IAM) resources to manage your AWS cloud accounts. These resources should not be shared with any other task, account, or process. -To learn more, see [Create IAM resources for AWS cloud accounts]({{< relref "/operate/rc/cloud-integrations/aws-cloud-accounts/iam-resources" >}}). +To learn more, see [Create IAM resources for AWS cloud accounts]({{< relref "/operate/rc/subscriptions/bring-your-own-cloud/iam-resources" >}}). \ No newline at end of file diff --git a/content/operate/rc/cloud-integrations/aws-cloud-accounts/iam-resources/_index.md b/content/operate/rc/subscriptions/bring-your-own-cloud/iam-resources/_index.md similarity index 57% rename from content/operate/rc/cloud-integrations/aws-cloud-accounts/iam-resources/_index.md rename to content/operate/rc/subscriptions/bring-your-own-cloud/iam-resources/_index.md index 870a9b9fe..cdcbe14f0 100644 --- a/content/operate/rc/cloud-integrations/aws-cloud-accounts/iam-resources/_index.md +++ b/content/operate/rc/subscriptions/bring-your-own-cloud/iam-resources/_index.md @@ -7,9 +7,9 @@ categories: description: null hideListLinks: true linkTitle: Create IAM resources -weight: $weight +weight: 1 --- -For most Redis Cloud Pro databases deployed to Amazon Web Services (AWS), we manage the supporting infrastructure for you in dedicated AWS accounts. +For Redis Cloud Bring your Own Cloud (BYOC) on Amazon Web Services (AWS), we manage the supporting infrastructure for you in dedicated AWS accounts. You can manage this infrastructure with your own AWS accounts. @@ -22,21 +22,18 @@ In the new AWS account, you need to create: - A user with an **access key** - A role that grants **AWS console access** -Save the access key in a secure location so that you can enter it when you [register the cloud account]({{< relref "/operate/rc/cloud-integrations/aws-cloud-accounts/" >}}) with your the Redis Cloud subscription. +Save the access key in a secure location so that you can enter it when you [register the cloud account]({{< relref "/operate/rc/subscriptions/bring-your-own-cloud/cloud-account-settings" >}}) with your Redis Cloud subscription. {{< warning >}} We use the provided credentials to configure your AWS environment and provision required resources. -To make sure that we can manage your AWS resources, you must not: - -- Manually change the configurations of provisioned resources, such as security groups -- Manually stop or terminate provisioned instances +You **must not** change the configurations of provisioned resources or stop or terminate provisioned instances. If you do, your databases will be inaccessible and Redis will not be able to ensure database stability. See [Avoid service disruption]({{< relref "/operate/rc/subscriptions/bring-your-own-cloud/cloud-account-settings#avoid-service-disruption" >}}) for more details. {{< /warning >}} For help creating an AWS user, see the [AWS IAM documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html). You can use one of the following tools to create IAM resources: -- [CloudFormation]({{< relref "/operate/rc/cloud-integrations/aws-cloud-accounts/iam-resources/cloudformation.md" >}}) - The AWS automation tool -- [Terraform]({{< relref "/operate/rc/cloud-integrations/aws-cloud-accounts/iam-resources/terraform.md" >}}) - Widely supported in the Redis community for additional automation -- The [AWS Console]({{< relref "/operate/rc/cloud-integrations/aws-cloud-accounts/iam-resources/aws-console.md" >}}) +- [CloudFormation]({{< relref "/operate/rc/subscriptions/bring-your-own-cloud/iam-resources/cloudformation" >}}) +- [Terraform]({{< relref "/operate/rc/subscriptions/bring-your-own-cloud/iam-resources/terraform" >}}) +- The [AWS Console]({{< relref "/operate/rc/subscriptions/bring-your-own-cloud/iam-resources/aws-console" >}}) diff --git a/content/operate/rc/subscriptions/bring-your-own-cloud/iam-resources/aws-console.md b/content/operate/rc/subscriptions/bring-your-own-cloud/iam-resources/aws-console.md new file mode 100644 index 000000000..dee2bc7d5 --- /dev/null +++ b/content/operate/rc/subscriptions/bring-your-own-cloud/iam-resources/aws-console.md @@ -0,0 +1,394 @@ +--- +LinkTitle: AWS console +Title: Create IAM resources using AWS console +alwaysopen: false +categories: +- docs +- operate +- rc +weight: $weight +--- +Follow these steps to manually create IAM resources using the [AWS console](https://console.aws.amazon.com/). + +{{< warning >}} +We use the provided credentials to configure your AWS environment and provision required resources. + +You **must not** change the configurations of provisioned resources or stop or terminate provisioned instances. If you do, your databases will be inaccessible and Redis will not be able to ensure database stability. See [Avoid service disruption]({{< relref "/operate/rc/subscriptions/bring-your-own-cloud/cloud-account-settings#avoid-service-disruption" >}}) for more details. +{{< /warning >}} + +## Step 1: Create the IAM instance policy + +First, create a policy to use for the new instance role: + + + +1. In the AWS IAM console, go to **Policies** > **Create policy**. +1. In the **JSON** tab, paste the contents of the RedisLabsInstanceRolePolicy.json policy file, shown here: + + {{< expand "View RedisLabsInstanceRolePolicy.json" >}} +```js + { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "DescribeReadOnlyEc2Resources", + "Effect": "Allow", + "Action": [ + "ec2:DescribeAvailabilityZones", + "ec2:DescribeRegions", + "ec2:DescribeSecurityGroups", + "ec2:DescribeTags", + "ec2:DescribeVolumes" + ], + "Resource": [ + "*" + ] + }, + { + "Sid": "EC2EBSActions", + "Effect": "Allow", + "Action": [ + "ec2:AttachVolume", + "ec2:CreateVolume" + ], + "Resource": [ + "*" + ], + "Condition": { + "StringEquals": { + "ec2:ResourceTag/RedisLabsIdentifier": "Redislabs-VPC" + } + } + }, + { + "Sid": "SecurityGroupAccessActions", + "Effect": "Allow", + "Action": [ + "ec2:AuthorizeSecurityGroupIngress", + "ec2:DeleteSecurityGroup", + ], + "Resource": "*", + "Condition": { + "StringEquals": { + "ec2:ResourceTag/RedisLabsIdentifier": "Redislabs-VPC" + } + } + }, + { + "Sid": "TagResourcesCreation", + "Effect": "Allow", + "Action": [ + "ec2:CreateTags" + ], + "Resource": [ + "*" + ] + }, + { + "Sid": "TagResourcesDelete", + "Effect": "Allow", + "Action": [ + "ec2:DeleteTags" + ], + "Resource": [ + "*" + ], + "Condition": { + "StringEquals": { + "ec2:ResourceTag/RedisLabsIdentifier": "Redislabs-VPC" + } + } + } + ] + } +``` + {{< /expand >}} + + +1. Validate it and then select **Review Policy**. +1. Enter **RedisLabsInstanceRolePolicy** as the policy name and then select **Create Policy**. + +## Step 2: Create the service role + +To create the role that uses the policy: + + + +1. In the AWS IAM console, go to **Roles** and click **Create Role**. +1. Select **AWS Service** as the trusted entity, **EC2** as the service + and use case, and click **Next: Permissions**. +1. Enter `RedisLabsInstanceRolePolicy` in the search box to look up the policy we just created, + select it, and click **Next: Review**. +1. Name the role `redislabs-cluster-node-role` and click **Create Role**. + +## Step 3: Create the user policy + +Now create a policy to assign to the user: + + + +1. In the AWS IAM console, go to **Policies** > **Create policy**. +1. In the **JSON** tab, paste the contents of the RedisLabsIAMUserRestrictedPolicy.json policy file. + + {{< expand "View RedislabsIAMUserRestrictedPolicy.json" >}} +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "DescribeReadOnlyEc2Resources", + "Effect": "Allow", + "Action": [ + "ec2:DescribeAvailabilityZones", + "ec2:DescribeInstanceTypeOfferings", + "ec2:DescribeRegions", + "ec2:DescribeInstances", + "ec2:DescribeVolumes", + "ec2:DescribeSnapshots", + "ec2:DescribeVpcs", + "ec2:DescribeSubnets", + "ec2:DescribeSecurityGroups", + "ec2:DescribeRouteTables", + "ec2:DescribeInternetGateways", + "ec2:DescribeImages", + "ec2:DescribeTransitGatewayVpcAttachments", + "ec2:DescribeVpcPeeringConnections" + ], + "Resource": "*" + }, + { + "Sid": "CloudWatchReadOnly", + "Effect": "Allow", + "Action": [ + "cloudwatch:Describe*", + "cloudwatch:Get*", + "cloudwatch:List*" + ], + "Resource": "*", + "Condition": { + "StringEquals": { + "ec2:ResourceTag/RedisLabsIdentifier": "Redislabs-VPC" + } + } + }, + { + "Sid": "IamUserOperations", + "Effect": "Allow", + "Action": [ + "iam:GetUser", + "iam:GetUserPolicy", + "iam:ChangePassword" + ], + "Resource": "arn:aws:iam::*:user/${aws:username}" + }, + { + "Sid": "PassRlClusterNodeRole", + "Effect": "Allow", + "Action": "iam:PassRole", + "Resource": "arn:aws:iam::*:role/redislabs-cluster-node-role" + }, + { + "Sid": "IAMRoleReadAccess", + "Effect": "Allow", + "Action": [ + "iam:GetRole", + "iam:GetPolicy", + "iam:ListRolePolicies", + "iam:ListAttachedRolePolicies", + "iam:ListInstanceProfiles", + "iam:ListInstanceProfilesForRole", + "iam:SimulatePrincipalPolicy" + ], + "Resource": [ + "arn:aws:iam::*:role/Redislabs-*", + "arn:aws:iam::*:policy/Redislabs-*" + ] + }, + { + "Sid": "CreateEc2ResourcesWithoutTag", + "Effect": "Allow", + "Action": [ + "ec2:CreateTags", + "ec2:RunInstances", + "ec2:ImportKeyPair", + "ec2:CreateKeyPair", + "ec2:CreateVpc", + "ec2:CreateSecurityGroup", + "ec2:CreateInternetGateway", + "ec2:CreateRouteTable", + "ec2:CreateSubnet" + ], + "Resource": "*" + }, + { + "Sid": "ForceUnderlyingResourcesToHaveIdentifierTags", + "Effect": "Deny", + "Action": [ + "ec2:RunInstances", + "ec2:CreateKeyPair" + ], + "Resource": [ + "arn:aws:ec2:*:*:instance/*", + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:keypair/*" + ], + "Condition": { + "Null": { + "aws:RequestTag/RedisLabsIdentifier": "true" + } + } + }, + { + "Sid": "DenyCreateVpcWithoutRequiredTag", + "Effect": "Deny", + "Action": [ + "ec2:CreateVpc" + ], + "Resource": "*", + "Condition": { + "Null": { + "aws:RequestTag/RedisLabsIdentifier": "true" + } + } + }, + { + "Sid": "AllowVpcPeeringManagement", + "Effect": "Allow", + "Action": [ + "ec2:CreateVpcPeeringConnection", + "ec2:AcceptVpcPeeringConnection" + ], + "Resource": "*" + }, + { + "Sid": "AllowVpcPeeringDeletion", + "Effect": "Allow", + "Action": [ + "ec2:DeleteVpcPeeringConnection" + ], + "Resource": "*", + "Condition": { + "StringEquals": { + "ec2:ResourceTag/RedisLabsIdentifier": "Redislabs-VPC" + } + } + }, + { + "Sid": "CreateEc2Resources", + "Effect": "Allow", + "Action": [ + "ec2:CreateVolume", + "ec2:CreateSnapshot", + "ec2:ImportKeyPair", + "ec2:AttachInternetGateway", + "ec2:CreateRoute", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:AuthorizeSecurityGroupEgress" + ], + "Resource": "*", + "Condition": { + "StringEquals": { + "ec2:ResourceTag/RedisLabsIdentifier": "Redislabs-VPC" + } + } + }, + { + "Sid": "ModifyEc2Resources", + "Effect": "Allow", + "Action": [ + "ec2:AttachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifySubnetAttribute", + "ec2:AssociateRouteTable", + "ec2:StartInstances", + "ec2:StopInstances", + "ec2:RebootInstances" + ], + "Resource": "*", + "Condition": { + "StringEquals": { + "ec2:ResourceTag/RedisLabsIdentifier": "Redislabs-VPC" + } + } + }, + { + "Sid": "DeleteEc2Resources", + "Effect": "Allow", + "Action": [ + "ec2:TerminateInstances", + "ec2:DeleteVolume", + "ec2:DeleteSnapshot", + "ec2:DetachVolume", + "ec2:DeleteKeyPair", + "ec2:DeleteTags", + "ec2:DeleteSubnet", + "ec2:DeleteSecurityGroup", + "ec2:DeleteRouteTable", + "ec2:DeleteRoute", + "ec2:DetachInternetGateway", + "ec2:DeleteInternetGateway", + "ec2:DeleteVpc" + ], + "Resource": "*", + "Condition": { + "StringEquals": { + "ec2:ResourceTag/RedisLabsIdentifier": "Redislabs-VPC" + } + } + }, + { + "Sid": "CreateAndChangeServiceLinkedRoleForTransitGateway", + "Effect": "Allow", + "Action": "iam:CreateServiceLinkedRole", + "Resource": "arn:aws:iam::*:role/aws-service-role/transitgateway.amazonaws.com/AWSServiceRoleForVPCTransitGateway*", + "Condition": { + "StringLike": { + "iam:AWSServiceName": "transitgateway.amazonaws.com" + } + } + }, + { + "Effect": "Allow", + "Action": [ + "iam:AttachRolePolicy", + "iam:PutRolePolicy" + ], + "Resource": "arn:aws:iam::*:role/aws-service-role/transitgateway.amazonaws.com/AWSServiceRoleForVPCTransitGateway*" + } + ] +} +``` + {{< /expand >}} + +1. Validate the policy and click **Review Policy**. +1. Enter `RedislabsIAMUserRestrictedPolicy` as the policy name and click **Create Policy**. + +## Step 4: Create the programmatic access user + +Create a user and attach the policy you created: + + + +1. In the AWS IAM console, go to **Users** > select **Add user**. +1. Name it `redislabs-user` and check only the **Programmatic access** checkbox. +1. Click **Next: Permissions**. +1. Select **Attach existing policies directly** and select + **RedislabsIAMUserRestrictedPolicy** from the list. +1. Click **Next: Review**. +1. Click **Create user**. +1. Download the user credentials and store them in a secure location. + +## Step 5: Create the console access role + +Last, create a role and attach the policy you created: + + + +1. In the AWS IAM console, go to **Roles** > select **Create role**. +1. Select **Another AWS account**. +1. Under **Account ID**, enter account number `168085023892` (Redis Cloud's AWS account). +1. Under Options, check the **Require MFA** checkbox only. *Do not check Require external ID*. +1. Click **Next: Permissions**. +1. Attach the policy **RedisLabsIAMUserRestrictedPolicy** to the role. +1. Click **Next: Review**. +1. Name the role `redislabs-role` and then click **Create role**. diff --git a/content/operate/rc/cloud-integrations/aws-cloud-accounts/iam-resources/cloudformation.md b/content/operate/rc/subscriptions/bring-your-own-cloud/iam-resources/cloudformation.md similarity index 86% rename from content/operate/rc/cloud-integrations/aws-cloud-accounts/iam-resources/cloudformation.md rename to content/operate/rc/subscriptions/bring-your-own-cloud/iam-resources/cloudformation.md index 74df152fe..dc2505f55 100644 --- a/content/operate/rc/cloud-integrations/aws-cloud-accounts/iam-resources/cloudformation.md +++ b/content/operate/rc/subscriptions/bring-your-own-cloud/iam-resources/cloudformation.md @@ -66,3 +66,9 @@ VersionStages: The JSON object is the value (less the single quotes) of the `SecretString` key. i.e. it is `{"password":"S3cr3tP@$$w0rd"}`. The password is the value associated with that key (less the double quotes): `S3cr3tP@$$w0rd`. + +{{< warning >}} +We use the provided credentials to configure your AWS environment and provision required resources. + +You **must not** change the configurations of provisioned resources or stop or terminate provisioned instances. If you do, your databases will be inaccessible and Redis will not be able to ensure database stability. See [Avoid service disruption]({{< relref "/operate/rc/subscriptions/bring-your-own-cloud/cloud-account-settings#avoid-service-disruption" >}}) for more details. +{{< /warning >}} diff --git a/content/operate/rc/cloud-integrations/aws-cloud-accounts/iam-resources/terraform.md b/content/operate/rc/subscriptions/bring-your-own-cloud/iam-resources/terraform.md similarity index 76% rename from content/operate/rc/cloud-integrations/aws-cloud-accounts/iam-resources/terraform.md rename to content/operate/rc/subscriptions/bring-your-own-cloud/iam-resources/terraform.md index 61ba8e273..da5801987 100644 --- a/content/operate/rc/cloud-integrations/aws-cloud-accounts/iam-resources/terraform.md +++ b/content/operate/rc/subscriptions/bring-your-own-cloud/iam-resources/terraform.md @@ -10,6 +10,12 @@ linkTitle: Terraform --- You can use [HashiCorp Terraform](https://www.terraform.io/intro/index.html) to create identity and access management (IAM) resources to support AWS cloud account access to Redis Cloud subscriptions. +{{< warning >}} +We use the provided credentials to configure your AWS environment and provision required resources. + +You **must not** change the configurations of provisioned resources or stop or terminate provisioned instances. If you do, your databases will be inaccessible and Redis will not be able to ensure database stability. See [Avoid service disruption]({{< relref "/operate/rc/subscriptions/bring-your-own-cloud/cloud-account-settings#avoid-service-disruption" >}}) for more details. +{{< /warning >}} + The following example uses the `terraform-aws-Redislabs-Cloud-Account-IAM-Resources` module, located in Amazon S3: diff --git a/content/operate/rc/cloud-integrations/aws-cloud-accounts/subscription-whitelist.md b/content/operate/rc/subscriptions/bring-your-own-cloud/subscription-whitelist.md similarity index 83% rename from content/operate/rc/cloud-integrations/aws-cloud-accounts/subscription-whitelist.md rename to content/operate/rc/subscriptions/bring-your-own-cloud/subscription-whitelist.md index 83993ed18..9f808e5e1 100644 --- a/content/operate/rc/cloud-integrations/aws-cloud-accounts/subscription-whitelist.md +++ b/content/operate/rc/subscriptions/bring-your-own-cloud/subscription-whitelist.md @@ -13,13 +13,13 @@ weight: $weight The [CIDR](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) [allow list](https://en.wikipedia.org/wiki/Whitelist) lets you restrict traffic to your Redis Cloud database. When you configure an allow list, only the [IP addresses](https://en.wikipedia.org/wiki/IP_address) defined in the list can connect to the database. Traffic from all other IP addresses is blocked. -If you use a [self-managed, external cloud account]({{< relref "/operate/rc/cloud-integrations/aws-cloud-accounts" >}}) to host your Redis Cloud deployment, you can configure a subscription-wide allow list +If you use [Redis Cloud Bring your Own Cloud]({{< relref "/operate/rc/subscriptions/bring-your-own-cloud" >}}) to host your Redis Cloud deployment, you can configure a subscription-wide allow list to restrict traffic to all databases associated with the subscription. The subscription CIDR allow list defines a range of IP addresses and [AWS security groups](https://docs.aws.amazon.com/managedservices/latest/userguide/about-security-groups.html) that control inbound and outbound traffic to the Redis Cloud [VPC](https://en.wikipedia.org/wiki/Virtual_private_cloud). When you add security groups to the allow list, you can also use the same security groups to manage access to your application. {{< note >}} -The subscription-level allow list is available for Redis Cloud deployments hosted on a self-managed, external AWS account. If you do not have a self-managed account, you can configure a [CIDR allow list]({{< relref "/operate/rc/security/cidr-whitelist.md" >}}) for each database. +The subscription-level allow list is available for Redis Cloud Bring your Own Cloud. If you don't have Redis Cloud Bring your Own Cloud, you can configure a [CIDR allow list]({{< relref "/operate/rc/security/cidr-whitelist" >}}) for each database. {{< /note >}} ## Allow IP address or security group