# Central Account

The ConsoleMe service needs its own user or role. Note that ConsoleMe has a lot of permissions. You should ensure that its privileges cannot be used outside of ConsoleMe, except by authorized administrators (Likely, you).

You can call this new role "ConsoleMeInstanceProfile". It will also need to assume whichever roles you want to allow it to assume in your environment. Here is a full-fledged policy you can use when deploying to production. For now, scoping down assume role rights for testing should be sufficient. Create an inline policy for your role with the following permissions if you never want to have to think about it again:

Replace `arn:aws:iam::1243456789012:role/consolemeInstanceProfile` in the Assume Role Trust Policy with your ConsoleMe service role ARN.

```
{
  "Statement": [
    {
      "Action": [
        "access-analyzer:*",
        "cloudtrail:*",
        "cloudwatch:*",
        "config:SelectResourceConfig",
        "config:SelectAggregateResourceConfig",
        "dynamodb:batchgetitem",
        "dynamodb:batchwriteitem",
        "dynamodb:deleteitem",
        "dynamodb:describe*",
        "dynamodb:getitem",
        "dynamodb:getrecords",
        "dynamodb:getsharditerator",
        "dynamodb:putitem",
        "dynamodb:query",
        "dynamodb:scan",
        "dynamodb:updateitem",
        "dynamodb:CreateTable",
        "dynamodb:UpdateTimeToLive",
        "sns:createplatformapplication",
        "sns:createplatformendpoint",
        "sns:deleteendpoint",
        "sns:deleteplatformapplication",
        "sns:getendpointattributes",
        "sns:getplatformapplicationattributes",
        "sns:listendpointsbyplatformapplication",
        "sns:publish",
        "sns:setendpointattributes",
        "sns:setplatformapplicationattributes",
        "sts:assumerole"
      ],
      "Effect": "Allow",
      "Resource": ["*"]
    },
    {
      "Action": ["ses:sendemail", "ses:sendrawemail"],
      "Condition": {
        "StringLike": {
          "ses:FromAddress": ["email_address_here@example.com"]
        }
      },
      "Effect": "Allow",
      "Resource": "arn:aws:ses:*:123456789:identity/your_identity.example.com"
    },
    {
      "Action": [
        "autoscaling:Describe*",
        "cloudwatch:Get*",
        "cloudwatch:List*",
        "config:BatchGet*",
        "config:List*",
        "config:Select*",
        "ec2:DescribeSubnets",
        "ec2:describevpcendpoints",
        "ec2:DescribeVpcs",
        "iam:GetAccountAuthorizationDetails",
        "iam:ListAccountAliases",
        "iam:ListAttachedRolePolicies",
        "ec2:describeregions",
        "s3:GetBucketPolicy",
        "s3:GetBucketTagging",
        "s3:ListAllMyBuckets",
        "s3:ListBucket",
        "s3:PutBucketPolicy",
        "s3:PutBucketTagging",
        "sns:GetTopicAttributes",
        "sns:ListTagsForResource",
        "sns:ListTopics",
        "sns:SetTopicAttributes",
        "sns:TagResource",
        "sns:UnTagResource",
        "sqs:GetQueueAttributes",
        "sqs:GetQueueUrl",
        "sqs:ListQueues",
        "sqs:ListQueueTags",
        "sqs:SetQueueAttributes",
        "sqs:TagQueue",
        "sqs:UntagQueue"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ],
  "Version": "2012-10-17"
}
```

You must also allow ConsoleMe to read/write to the bucket you've decided to use to cache data. Please replace `BUCKET_NAME` below with the name of the bucket you will cache data in. This bucket must be in the same account as this role, and it must also be defined in your ConsoleMe configuration under the `consoleme_s3_bucket` configuration key. You can add this as a new inline policy on your ConsoleMeInstanceProfile role, or append the statement to an existing inline policy.

```
{
    "Statement": [
        {
            "Action": [
                "s3:ListBucket",
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::BUCKET_NAME",
                "arn:aws:s3:::BUCKET_NAME/*"
            ]
        }
    ]
}
```

Configure the trust policy with the following settings (Yes, you'll want to give ConsoleMeInstanceProfile the ability to assume itself):

```
{
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      }
    },
    {
      "Action": "sts:AssumeRole",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::1243456789012:role/consolemeInstanceProfile"
      }
    }
  ],
  "Version": "2012-10-17"
}
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://hawkins.gitbook.io/consoleme/prerequisites/required-iam-permissions/central-account-consolemeinstanceprofile.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.