AWS Account Requirements

Verify that your AWS account has resources and services configured to meet Altus requirements and the Altus administrator has adequate permissions to configure the resources and services in AWS.

AWS Resources and Services

Altus accesses the following resources in your AWS account:
  • VPC
  • EC2 Instances
  • Regions and availability zones
  • Security group
Use the following guidelines to ensure that Altus can use the resources in your AWS account to create clusters and run jobs:
VPC
Altus supports EC2-VPCs.

You can use an existing AWS account or create an AWS account for Altus workloads. If you use an existing account created after December 4, 2013, you can use the default VPC provided with the AWS account. The default VPC is an EC2-VPC. For more information, see the AWS documentation about the default VPC.

If you use an existing account created before December 4, 2013, use EC2-VPC, not EC2-Classic.

The VPC must have the following configuration:
  • Connected to an Internet gateway.
  • Has at least one public subnet configured with auto-assigned public IPs, and the subnet routes default traffic through the Internet gateway.
  • Has Amazon-managed DNS turned on: DNS resolution and DNS hostnames are set to true.

Verify the limits of the VPC and subnets available in your AWS account to ensure that you have enough resources to create clusters in Altus. For more information about VPC limits, see AWS Limits.

EC2 Instances
If you use the default VPC provided with the AWS account, the VPC is limited to 20 EC2 instances. If you require a larger number of instances, you can contact Amazon to request an increase in your instance limit.

Verify the limits of the EC2 instances in your AWS account to ensure that you are able to create clusters in Altus. For more information about VPC limits, see AWS Limits.

Altus supports c4, m4, and r4 instance types.

Regions and Availability Zones
You can deploy clusters in any AWS region that Altus supports. Typically, you deploy clusters into the same region that contains the S3 buckets that you want to access for input and output data.

For more information about the AWS regions supported by Altus, see Supported AWS Regions.

Security Group
You must define a security group with the following configuration:
  • Inbound: Allows all traffic from itself and SSH traffic from the following IP addresses:
    • 52.88.35.116/32
    • 52.37.120.7/32
    • 50.112.20.144/32
    • 34.211.1.60/32
    • 34.210.228.237/32
    • 52.26.206.120/32
  • Outbound: Allows all traffic to all destinations.

Verify the security group limits in your AWS account to ensure that you can configure security groups for Altus. For more information about security group limits, see AWS Limits.

To connect to a CDH cluster and Cloudera Manager, you must also configure the security group inbound rules to allow SSH access from the IP address of your machine or a range of IP addresses used by your organization. For more information, see SSH Connection in AWS.

AWS Permissions

As an Altus administrator, you must be able to perform the following tasks in your AWS account:
  • Create policies and roles in IAM.
  • Perform administrative tasks in subnets, security groups, EC2, VPC, S3, and Security Token Service (STS).

AWS Administrator privileges provides all the permissions you need to create the resources for Altus.

If you are not a member of the Administrators group in your AWS account, you must have the following privileges in AWS:
ec2:AssociateRouteTable
ec2:AttachInternetGateway
ec2:AuthorizeSecurityGroupIngress
ec2:CreateInternetGateway
ec2:CreateRoute
ec2:CreateRouteTable
ec2:CreateSecurityGroup
ec2:CreateSubnet
ec2:CreateVpc
ec2:CreateVpcEndpoint
ec2:CreateTags
ec2:DescribeAccountAttributes
ec2:DescribeAvailabilityZones
ec2:DescribeInternetGateways
ec2:DescribeRouteTables
ec2:DescribeSecurityGroups
ec2:DescribeSubnets
ec2:DescribeVpcEndpoints
ec2:DescribeVpcs
ec2:ModifySubnetAttribute
ec2:ModifyVpcAttribute
iam:AddRoleToInstanceProfile
iam:AttachRolePolicy
iam:CreateInstanceProfile
iam:CreateRole
iam:GetRole
iam:PassRole
iam:PutRolePolicy
s3:CreateBucket
s3:GetObject
s3:PutObject
Additionally, if you use the Environment Quickstart to create an Altus environment, you need the following CloudFormation permissions:
cloudformation:CreateStack
cloudformation:DescribeStacks
cloudformation:DescribeStackEvents

Cross-Account Access Role

To allow Altus to create clusters and run jobs in your account, you must grant Altus access to the resources in your account. You create a cross-account access role in your AWS account and grant Altus access to the role as a trusted principal. The policy you define for the cross-account access role must allow Altus to create and manage instances and perform other tasks required to create and manage clusters and run jobs.

The Altus environment stores information about the cross-account access role.

The policy for the cross-account access role must have the following permissions:
ec2:CancelSpotInstanceRequests
ec2:CreateTags
ec2:DescribeAvailabilityZones
ec2:DescribeImages
ec2:DescribeInstanceStatus
ec2:DescribeInstances
ec2:DescribeKeyPairs
ec2:DescribeNetworkAcls
ec2:DescribePlacementGroups
ec2:DescribeRegions
ec2:DescribeSecurityGroups
ec2:DescribeSpotInstanceRequests
ec2:DescribeSpotPriceHistory
ec2:DescribeSubnets
ec2:ImportKeyPair
ec2:RequestSpotInstances
ec2:RunInstances
ec2:TerminateInstances
iam:GetInstanceProfile
iam:PassRole
iam:SimulatePrincipalPolicy
s3:GetBucketLocation
sts:DecodeAuthorizationMessage
Depending on the functionality that you want to enable in Altus, you might need to include additional permissions in the cross-account access role.
  • To allow Altus to generate and delete a key pair for each cluster, include the following permission:
    ec2:DeleteKeyPair

    For more information about how Altus uses the DeleteKeyPair permission, see Key Pair Permissions on EC2.

  • To create secure clusters, you must include the following permissions:
    ec2:AttachVolume
    ec2:CreateVolume
    ec2:DeleteVolume
    ec2:DetachVolume
    ec2:DescribeVolumes
    ec2:DescribeSubnets
    ec2:ModifyInstanceAttribute
    
    Additionally, you must include the following permissions if you plan to provide the AWS KMS key to encrypt the EBS volumes in Altus clusters:
    kms:Encrypt
    kms:Decrypt
    kms:ReEncrypt*
    kms:GenerateDataKey*
    kms:Describe*
    kms:CreateGrant

Key Pair Permissions on EC2

AWS requires a public and private key pair for secure access to an EC2 instance. When Altus creates a cluster in your AWS account, Altus creates a key pair for the cluster, based on the EC2 key pair permissions that you provide in the cross-account access role.

Altus requires that you provide the ImportKeyPair permission in the cross-account access role to allow Altus to create and register keys for Altus clusters. The method that Altus uses to create the keys depends on whether you provide Altus with DeleteKeyPair permission in the cross-account access role.

Altus uses one of the following methods to create key pairs for your Altus clusters:
  • If you provide Altus with the EC2 DeleteKeyPair permissions:

    Altus generates a key pair for each Altus cluster that it creates in your AWS account. Altus registers the key pair in the AWS region where it creates the cluster and deletes the keys when the cluster is terminated.

    Because Altus creates a key pair for each cluster, only one cluster is affected if a key pair is compromised. Note that the DeleteKeyPair permission is not a resource level permission. The DeleteKeyPair permission applies to all key pairs in the AWS account. Granting Altus the DeleteKeyPair permission means that you give Altus permission to delete any key pair your AWS account.

    To have Altus generate a key pair for every cluster it creates in your AWS account, include the ec2:ImportKeyPair and ec2:DeleteKeyPair permissions in the cross-account access role that you create for Altus.

  • If you do not provide Altus with the EC2 DeleteKeyPair permissions:

    When you create a cluster, Altus determines whether it is the first cluster to be created in the region for your AWS account. If no key pair exists for the combination of Altus account, AWS account, and region, Altus generates a key pair and registers the key pair in the region. It uses the same key pair for all subsequent clusters it creates for the same Altus account and in the same AWS account and region. When clusters are terminated, Altus does not delete the keys.

    Because Altus creates one key pair for a region, all clusters in the region are affected if the key is compromised. Note that, without the DeleteKeyPair permission, Altus cannot delete the key pair from your account. When you stop using the AWS account for Altus clusters, you can delete the key pair from your account. The name of the key pair that Altus creates has the prefix CLOUDERA.

Supported AWS Regions

Cloudera Altus supports the following AWS regions:
Region Name Location
us-east-1 US East (N. Virginia) Region
us-east-2 US East (Ohio) Region
us-west-1 US West (N. California) Region
us-west-2 US West (Oregon) Region
ap-south-1 Asia Pacific (Mumbai) Region
ap-northeast-1 Asia Pacific (Tokyo) Region
ap-northeast-2 Asia Pacific (Seoul) Region
ap-southeast-1 Asia Pacific (Singapore) Region
ap-southeast-2 Asia Pacific (Sydney) Region
ca-central-1 Canada (Central) Region
eu-central-1 EU (Frankfurt) Region
eu-west-1 EU (Ireland) Region
eu-west-2 EU (London) Region
sa-east-1 South America (São Paolo) Region

AWS Limits

When you create your AWS account, AWS sets limits to the resources available to you. The limits can vary by region. To view the limit set by Amazon for your account, log in to AWS and go to EC2 > Limits.

The EC2 Service Limits page lists the limits to the resources available to you in your EC2 instance, including limits to the number of instances and hosts.

The Networking Limits section on the page lists the VPC, subnet, and security group limits for your AWS account.

If you require more resources than the limit set by Amazon, you can request Amazon to raise the limit of a resource. On the EC2 Service Limits page, click Request limit increase for the resource that you want to increase and create an AWS support case for a Service Limit Increase.