iaas-user-roles.html.md.erb

---
title: Pivotal Cloud Foundry® IaaS User Role Guidelines
owner: Program Management
---

This topic describes practices recommended by Pivotal for creating secure IaaS 
user roles.

Pivotal Cloud Foundry® (PCF) is an automated platform that connects to IaaS 
providers such as AWS and OpenStack. 
This connectivity typically requires accounts with appropriate permissions to 
act on behalf of the operator to access IaaS functionality such as creating 
virtual machines (VMs), managing networks and storage, and other related 
services. 

Ops Manager and Elastic Runtime can be configured with IaaS users in different ways depending on your IaaS. Other product tiles and services might also use their own IaaS credentials. Refer to the documentation for those product tiles or services to configure them securely.

##<a id="lpus"></a> Least Privileged Users (LPUs)

Pivotal recommends following the principle of least privilege by scoping privileges to the most restrictive permissions possible for a given role. In the event that someone gets access to credentials by mistake or through malicious intent, LPUs limit the scope of the breach. Pivotal recommends following best practices for the particular IaaS you are deploying.

##<a id="aws"></a> Configuring IaaS User Roles on AWS
Pivotal recommends using the [CloudFormation templates for Pivotal Cloud Foundry&reg;](cloudform.html) to configure AWS deployments to create users with least privilege. Pivotal also recommends minimizing the use of master account credentials by creating an IAM role and instance profile with the minimum required EC2, VPC, and EBS credentials.

<p class="note"><strong>Note</strong>: If you choose not to use the CloudFormation templates, Pivotal encourages you to use the permissions determined by <code>PcfIamPolicy</code> section of the Ops Manager CloudFormation template to create users with appropriate permissions. Additionally, follow AWS account security best practices such as disabling root keys, multi-factor authentication on the root account, and CloudTrail for auditing API actions.</p>

See the table below for more information on the two CloudFormation templates.

<table>
<tr>
	<th>Template Source</td>
	<th>Location</td>
	<th>User(s) Created</td>
	<th>User Purpose</td>
	<th>Uses IAM Role</td>
	<th>Additional Documentation</td>
</tr>

<tr>
	<td>Elastic Runtime</td>
	<td>Pivotal Network Elastic Runtime <a href="https://network.pivotal.io/products/elastic-runtime">Download</a></td>
	<td>ERT S3  user</td>
	<td>Blob storage</td>
	<td>No</td>
	<td><a href="cloudform-er-config.html">Deploying Elastic Runtime on AWS</a></td>
</tr>
	<td>Ops Manager</td>
	<td>Referenced in the ERT template</td>
	<td>Ops Manager VM and Ops Manager Director </td>
	<td>EC2, VPC, EBS, S3, ELB</td>
	<td>Yes</td>
	<td><a href="cloudform-om-config.html#aws-config">Director User Config</a></td>
</tr>

</table>

For more Amazon-specific best practices, refer to the following Amazon documentation:

* [IAM Roles Best Practices](http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html)
* [AWS Security Best Practices Whitepaper](http://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf)
* [AWS Well-Architected Framework](https://d0.awsstatic.com/whitepapers/architecture/AWS_Well-Architected_Framework.pdf)

##<a id="vsphere"></a> Configuring IaaS User Roles on vSphere
See the vCenter permissions recommendations in [vSphere/vCenter Requirements](requirements.html#vsphere).

##<a id="vcloud"></a>Configuring IaaS User Roles on vCloud
See the [installation instructions](requirements.html#vcloud-air) and follow the least privilege user configuration for accounts.

##<a id="openstack"></a> Configuring IaaS User Roles on OpenStack
See the [installation instructions](openstack.html) and follow the least privilege user configuration for tenants and identity.