What resources in my AWS account does the Hub need access to?

  • Hub setup: Amazon CloudFormation

  • Cloud servers: Amazon EC2 and Cloudwatch
  • Backups: Amazon S3 buckets - with the tklbam-* prefix
  • DNS management: Route53

How do I set this up?

Follow the instructions on the Amazon account setup page. Even if you've never created an IAM role before, this should only take a minute or so. For more detailed walk through - including screenshots - please see the AWS IAMs role creation doc page.

What's an IAM role and what's it good for?

IAM is AWS's "Identity and Access Management" system. An IAM role is the secure, recommended way to authorize apps to call the AWS API on your behalf.

Before IAM roles, the only way to provide access was to share secret keys which could get stolen. Worse, there was no way to tell who was using those keys to access your account or what they were doing.

With IAM roles, there are no keys to steal and it is possible to log access by role to keep track of all actions performed on your behalf by 3rd party apps.

How do I log Hub activity on my account?

We recommend enabling AWS CloudTrail to log all API calls performed on your account from all apps.

How does an IAM role work?

The role tells AWS which app to authorize (e.g., the TurnKey Hub) and what resources to give it access to. The app can then assume that role by getting short-lived credentials from the AWS Secure Token Service. All actions by the app can be logged & audited.

Read more: IAM roles - AWS Identity and Access Management

How long will the Hub have access to my account?

As long as the IAM role exists the Hub will have access. You can revoke an IAM role at any time through the AWS Console, but then we won't be able to provide you with service until you setup a new IAM role.


More TurnKey Hub documentation: