Setting up Amazon AppConfig
If you haven't already done so, sign up for an Amazon Web Services account and create an administrative user.
Sign up for an Amazon Web Services account
If you do not have an Amazon Web Services account, use the following procedure to create one.
To sign up for Amazon Web Services
Open http://www.amazonaws.cn/
and choose Sign Up. Follow the on-screen instructions.
Amazon sends you a confirmation email after the sign-up process is
complete. At any time, you can view your current account activity and manage your account by
going to http://www.amazonaws.cn/
Secure IAM users
After you sign up for an Amazon Web Services account, safeguard your administrative user by turning on multi-factor authentication (MFA). For instructions, see Enable a virtual MFA device for an IAM user (console) in the IAM User Guide.
To give other users access to your Amazon Web Services account resources, create IAM users. To secure your IAM users, turn on MFA and only give the IAM users the permissions needed to perform their tasks.
For more information about creating and securing IAM users, see the following topics in the IAM User Guide:
Grant programmatic access
Users need programmatic access if they want to interact with Amazon outside of the Amazon Web Services Management Console. The Amazon APIs and the Amazon Command Line Interface require access keys. Whenever possible, create temporary credentials that consist of an access key ID, a secret access key, and a security token that indicates when the credentials expire.
To grant users programmatic access, choose one of the following options.
| Which user needs programmatic access? | To | By |
|---|---|---|
| IAM | Use short-term credentials to sign programmatic requests to the Amazon CLI or Amazon APIs (directly or by using the Amazon SDKs). | Following the instructions in Using temporary credentials with Amazon resources in the IAM User Guide. |
| IAM | (Not recommended) Use long-term credentials to sign programmatic requests to the Amazon CLI or Amazon APIs (directly or by using the Amazon SDKs). |
Following the instructions in Managing access keys for IAM users in the IAM User Guide. |
(Optional) Configure permissions for rollback based on CloudWatch alarms
You can configure Amazon AppConfig to roll back to a previous version of a configuration in response to one or more Amazon CloudWatch alarms. When you configure a deployment to respond to CloudWatch alarms, you specify an Amazon Identity and Access Management (IAM) role. Amazon AppConfig requires this role so that it can monitor CloudWatch alarms.
Note
The IAM role must belong to the current account. By default, Amazon AppConfig can only monitor alarms owned by the current account. If you want to configure Amazon AppConfig to roll back deployments in response to metrics from a different account, you must configure cross account alarms. For more information, see Cross-account cross-Region CloudWatch console in the Amazon CloudWatch User Guide.
Use the following procedures to create an IAM role that enables Amazon AppConfig to rollback based on CloudWatch alarms. This section includes the following procedures.
Step 1: Create the permission policy for rollback based on CloudWatch alarms
Use the following procedure to create an IAM policy that gives Amazon AppConfig permission
to call the DescribeAlarms API action.
To create an IAM permission policy for rollback based on CloudWatch alarms
-
Open the IAM console at https://console.amazonaws.cn/iam/
. -
In the navigation pane, choose Policies, and then choose Create policy.
-
On the Create policy page, choose the JSON tab.
-
Replace the default content on the JSON tab with the following permission policy, and then choose Next: Tags.
Note
To return information about CloudWatch composite alarms, the DescribeAlarms API operation must be assigned
*permissions, as shown here. You can't return information about composite alarms ifDescribeAlarmshas a narrower scope.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudwatch:DescribeAlarms" ], "Resource": "*" } ] } -
Enter tags for this role, and then choose Next: Review.
-
On the Review page, enter
SSMCloudWatchAlarmDiscoveryPolicyin the Name field. -
Choose Create policy. The system returns you to the Policies page.
Step 2: Create the IAM role for rollback based on CloudWatch alarms
Use the following procedure to create an IAM role and assign the policy you created in the previous procedure to it.
To create an IAM role for rollback based on CloudWatch alarms
-
Open the IAM console at https://console.amazonaws.cn/iam/
. -
In the navigation pane, choose Roles, and then choose Create role.
-
Under Select type of trusted entity, choose Amazon service.
-
Immediately under Choose the service that will use this role, choose EC2: Allows EC2 instances to call Amazon services on your behalf, and then choose Next: Permissions.
-
On the Attached permissions policy page, search for SSMCloudWatchAlarmDiscoveryPolicy.
-
Choose this policy and then choose Next: Tags.
-
Enter tags for this role, and then choose Next: Review.
-
On the Create role page, enter
SSMCloudWatchAlarmDiscoveryRolein the Role name field, and then choose Create role. -
On the Roles page, choose the role you just created. The Summary page opens.
Step 3: Add a trust relationship
Use the following procedure to configure the role you just created to trust Amazon AppConfig.
To add a trust relationship for Amazon AppConfig
-
In the Summary page for the role you just created, choose the Trust Relationships tab, and then choose Edit Trust Relationship.
-
Edit the policy to include only "
appconfig.amazonaws.com", as shown in the following example:{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "appconfig.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } -
Choose Update Trust Policy.