Applies only to CMS Essentials and PPAs, not Essentials via SoftwareOne Marketplace with Billing Transfer
As part of SoftwareOne Cloud Managed Services Essentials for AWS onboarding, SoftwareOne deploys a Bootstrap Role into the AWS Management (Payer) account. This role is essential to enable secure, automated deployment of Essentials federation stacks and related infrastructure using SoftwareOne's internal automation systems.
The Bootstrap Role enables SoftwareOne automation to securely assume limited and specific permissions required to deploy stacks, manage identities, and configure infrastructure relating to SoftwareOne’s services. No human access is granted through this role. Automation will not impact any customer workloads.
This role ensures:
-
Secure automation of Cloud Managed Services Essentials onboarding.
-
Faster delivery of updates and operational changes.
-
Consistent deployment of roles, policies, and integrations needed for federated access and monitoring.
It is important to note that this IAM Role grants permissions only to specific SoftwareOne automation systems and is protected via restricted trust policy. The permissions granted are scoped where possible to SWO-specific resources (e.g., IAM roles starting with SWO or swo).
The following table outlines the permissions granted to the Bootstrap Role:
|
Sid |
Effect |
Action |
Resource |
Condition |
Explanation |
|---|---|---|---|---|---|
|
AllowCloudFormation |
Allow |
cloudformation:CreateStack, cloudformation:CreateStackSet, cloudformation:DescribeStacks, cloudformation:GetTemplateSummary, cloudformation:ListStacks, cloudformation:UpdateStack, cloudformation:DeleteStack, cloudformation:CreateStackInstances, cloudformation:DescribeStackSetOperation, cloudformation:DeleteStackInstances, cloudformation:DeleteStackSet, cloudformation:DescribeStackSet |
Stacks and StackSets prefixed with |
None |
Enables deployment and management of CMS Essentials stacks. |
|
AllowIAMRoleManagement |
Allow |
iam:CreateRole, iam:DeleteRole, iam:GetRole, iam:PutRolePolicy, iam:DeleteRolePolicy, iam:AttachRolePolicy, iam:DetachRolePolicy, iam:ListAttachedRolePolicies, iam:ListRolePolicies, iam:TagRole, iam:PassRole, iam:CreatePolicy, iam:DeletePolicy, iam:GetPolicy, iam:CreatePolicyVersion, iam:GetPolicyVersion, iam:ListEntitiesForPolicy, iam:ListPolicyVersions, iam:DeletePolicyVersion, iam:GetRolePolicy, iam:CreateServiceLinkedRole |
Roles and policies prefixed with |
None |
Allows creation, attachment, and tagging of IAM roles and policies necessary for CMS automation. |
|
AllowFederatedProviders |
Allow |
iam:CreateSAMLProvider, iam:GetSAMLProvider, iam:DeleteSAMLProvider, iam:CreateOpenIDConnectProvider, iam:GetOpenIDConnectProvider, iam:DeleteOpenIDConnectProvider |
Providers prefixed with |
None |
Enables configuration of federated identity providers. |
|
AllowCostAndUsageReporting |
Allow |
cur:DescribeReportDefinitions, cur:PutReportDefinition, cur:DeleteReportDefinition, cur:TagResource, cur:ListTagsForResource |
Reports prefixed with |
None |
Allows automation to manage Cost and Usage Reports (CUR) for CMS purposes. |
|
AllowLambdaManagement |
Allow |
lambda:AddPermission, lambda:CreateFunction, lambda:DeleteFunction, lambda:GetFunction, lambda:GetFunctionCodeSigningConfig, lambda:GetRuntimeManagementConfig, lambda:ListTags, lambda:TagResource, lambda:UpdateFunctionCode, lambda:UpdateFunctionConfiguration, lambda:RemovePermission, lambda:InvokeFunction |
Functions prefixed with |
None |
Allows deployment and updates of CMS automation Lambda functions. |
|
AllowSecretsManagement |
Allow |
secretsmanager:CreateSecret, secretsmanager:DeleteSecret, secretsmanager:DescribeSecret |
Secrets prefixed with |
None |
Enables storage and management of automation-related secrets. |
|
AllowS3BucketControl |
Allow |
s3:CreateBucket, s3:DeleteBucketPolicy, s3:PutBucketPolicy, s3:PutBucketPublicAccessBlock, s3:PutLifecycleConfiguration, s3:GetAccelerateConfiguration, s3:GetAnalyticsConfiguration, s3:GetBucketCORS, s3:GetBucketLogging, s3:GetBucketNotification, s3:GetBucketObjectLockConfiguration, s3:GetBucketOwnershipControls, s3:GetBucketPolicy, s3:GetBucketPublicAccessBlock, s3:GetBucketTagging, s3:GetBucketVersioning, s3:GetBucketWebsite, s3:GetEncryptionConfiguration, s3:GetIntelligentTieringConfiguration, s3:GetInventoryConfiguration, s3:GetLifecycleConfiguration, s3:GetMetricsConfiguration, s3:GetObject, s3:GetReplicationConfiguration |
Buckets under the AWS Account |
None |
Allows automation to manage S3 buckets used by CMS stacks. |
|
AllowSSMParameterStore |
Allow |
ssm:PutParameter, ssm:GetParameters, ssm:DeleteParameter |
Parameters prefixed with |
None |
Enables CMS automation to store and retrieve configuration via SSM Parameter Store. |
|
AllowEventsAndSNS |
Allow |
events:DescribeRule, events:DeleteRule, events:EnableRule, events:PutRule, events:PutTargets, events:RemoveTargets, events:TagResource, sns:GetTopicAttributes, sns:CreateTopic, sns:DeleteTopic, sns:SetTopicAttributes, sns:ListTopics, sns:Subscribe, sns:Unsubscribe, sns:SetSubscriptionAttributes |
Rules and Topics prefixed with |
None |
Allows creation and control of EventBridge rules and SNS topics used by CMS services. |
|
AllowKMSUsage |
Allow |
kms:CreateGrant, kms:Decrypt, kms:DescribeKey, kms:Encrypt, kms:GenerateDataKey |
All |
None |
Required for secure key handling during stack deployment. |
|
AllowSupportForBudgets |
Allow |
budgets:CreateBudget, budgets:UpdateBudget, budgets:DeleteBudget, budgets:DescribeBudget, budgets:CreateBudgetAction, budgets:UpdateBudgetAction, budgets:DeleteBudgetAction, budgets:DescribeBudgetAction |
Budgets prefixed with |
None |
Allows automation to manage AWS Budgets relevant to CMS Essentials. |
This setup aligns with AWS best practices by using scoped IAM policies, automation-only access, and protected trust relationships. It allows SoftwareOne to deploy and maintain Cloud Managed Services Essentials consistently across all customer environments, with reduced risk and improved operational efficiency.