AWS Account Requirements
Verify that your AWS account has resources and services configured to meet Altus requirements and the Altus administrator has adequate permissions to configure the resources and services in AWS.
AWS Resources and Services
- EC2 Instances
- Regions and availability zones
- Security group
Altus supports EC2-VPCs.
You can use an existing AWS account or create an AWS account for Altus workloads. If you use an existing account created after December 4, 2013, you can use the default VPC provided with the AWS account. The default VPC is an EC2-VPC. For more information, see the AWS documentation about the default VPC.
If you use an existing account created before December 4, 2013, use EC2-VPC, not EC2-Classic.The VPC must have the following configuration:
- Connected to an Internet gateway.
- Has at least one public subnet configured with auto-assigned public IPs, and the subnet routes default traffic through the Internet gateway.
- Has Amazon-managed DNS turned on: DNS resolution and DNS hostnames are set to true.
Verify the limits of the VPC and subnets available in your AWS account to ensure that you have enough resources to create clusters in Altus. For more information about VPC limits, see AWS Limits.
- EC2 Instances
If you use the default VPC provided with the AWS account, the VPC is limited to 20 EC2 instances. If you require a larger number of instances, you can contact Amazon to request an increase in your instance limit.
Verify the limits of the EC2 instances in your AWS account to ensure that you are able to create clusters in Altus. For more information about VPC limits, see AWS Limits.
Altus supports the c4, m4, r4 and the c5, m5, r5 instance types.
- Regions and Availability Zones
You can deploy clusters in any AWS region that Altus supports. Typically, you deploy clusters into the same region that contains the S3 buckets that you want to access for input and output data.
For more information about the AWS regions supported by Altus, see Supported AWS Regions.
- Security Group
You must configure the security group to allow outbound traffic to all destinations.
Verify the security group limits in your AWS account to ensure that you can configure security groups for Altus. For more information about security group limits, see AWS Limits.
To connect to an Altus Data Engineering or Data Warehouse cluster through SSH, you must also configure the security group inbound rules to allow SSH access from the IP address of your machine or a range of IP addresses used by your organization. For more information, see SSH Connection in AWS.
- Create policies and roles in IAM.
- Perform administrative tasks in subnets, security groups, EC2, VPC, S3, and Security Token Service (STS).
AWS Administrator privileges provides all the permissions you need to create the resources for Altus.
ec2:AssociateRouteTable ec2:AttachInternetGateway ec2:AuthorizeSecurityGroupIngress ec2:CreateInternetGateway ec2:CreateRoute ec2:CreateRouteTable ec2:CreateSecurityGroup ec2:CreateSubnet ec2:CreateVpc ec2:CreateVpcEndpoint ec2:CreateTags ec2:DescribeAccountAttributes ec2:DescribeAvailabilityZones ec2:DescribeInternetGateways ec2:DescribeRouteTables ec2:DescribeSecurityGroups ec2:DescribeSubnets ec2:DescribeVpcEndpoints ec2:DescribeVpcs ec2:ModifySubnetAttribute ec2:ModifyVpcAttribute iam:AddRoleToInstanceProfile iam:AttachRolePolicy iam:CreateInstanceProfile iam:CreateRole iam:GetRole iam:PassRole iam:PutRolePolicy s3:CreateBucket s3:GetObject s3:PutObject
cloudformation:CreateStack cloudformation:DescribeStacks cloudformation:DescribeStackEvents
Cross-Account Access Role
To allow Altus to create clusters and run jobs in your account, you must grant Altus access to the resources in your account. You create a cross-account access role in your AWS account and grant Altus access to the role as a trusted principal. The policy you define for the cross-account access role must allow Altus to create and manage instances and perform other tasks required to create and manage clusters and run jobs.
The Altus environment stores information about the cross-account access role.
ec2:CancelSpotInstanceRequests ec2:CreateTags ec2:DescribeAvailabilityZones ec2:DescribeImages ec2:DescribeInstanceStatus ec2:DescribeInstances ec2:DescribeKeyPairs ec2:DescribeNetworkAcls ec2:DescribePlacementGroups ec2:DescribeRegions ec2:DescribeSecurityGroups ec2:DescribeSpotInstanceRequests ec2:DescribeSpotPriceHistory ec2:DescribeSubnets ec2:ImportKeyPair ec2:RequestSpotInstances ec2:RunInstances ec2:TerminateInstances iam:GetInstanceProfile iam:PassRole iam:SimulatePrincipalPolicy s3:GetBucketLocation sts:DecodeAuthorizationMessage
- To allow Altus to generate and delete a key pair for each cluster, include the following permission:
For more information about how Altus uses the DeleteKeyPair permission, see Key Pair Permissions on EC2.
- To create secure clusters, you must include the following permissions:
ec2:AttachVolume ec2:CreateVolume ec2:DeleteVolume ec2:DetachVolume ec2:DescribeVolumes ec2:DescribeSubnets ec2:ModifyInstanceAttributeAdditionally, you must include the following permissions if you plan to provide the AWS KMS key to encrypt the EBS volumes in Altus clusters:
kms:Encrypt kms:Decrypt kms:ReEncrypt* kms:GenerateDataKey* kms:Describe* kms:CreateGrant
Key Pair Permissions on EC2
AWS requires a public and private key pair for secure access to an EC2 instance. When Altus creates a cluster in your AWS account, Altus creates a key pair for the cluster, based on the EC2 key pair permissions that you provide in the cross-account access role.
Altus requires that you provide the ImportKeyPair permission in the cross-account access role to allow Altus to create and register keys for Altus clusters. The method that Altus uses to create the keys depends on whether you provide Altus with DeleteKeyPair permission in the cross-account access role.
- If you provide Altus with the EC2 DeleteKeyPair permissions:
Altus generates a key pair for each Altus cluster that it creates in your AWS account. Altus registers the key pair in the AWS region where it creates the cluster and deletes the keys when the cluster is terminated.
Because Altus creates a key pair for each cluster, only one cluster is affected if a key pair is compromised. Note that the DeleteKeyPair permission is not a resource level permission. The DeleteKeyPair permission applies to all key pairs in the AWS account. Granting Altus the DeleteKeyPair permission means that you give Altus permission to delete any key pair your AWS account.
To have Altus generate a key pair for every cluster it creates in your AWS account, include the ec2:ImportKeyPair and ec2:DeleteKeyPair permissions in the cross-account access role that you create for Altus.
- If you do not provide Altus with the EC2 DeleteKeyPair permissions:
When you create a cluster, Altus determines whether it is the first cluster to be created in the region for your AWS account. If no key pair exists for the combination of Altus account, AWS account, and region, Altus generates a key pair and registers the key pair in the region. It uses the same key pair for all subsequent clusters it creates for the same Altus account and in the same AWS account and region. When clusters are terminated, Altus does not delete the keys.
Because Altus creates one key pair for a region, all clusters in the region are affected if the key is compromised. Note that, without the DeleteKeyPair permission, Altus cannot delete the key pair from your account. When you stop using the AWS account for Altus clusters, you can delete the key pair from your account. The name of the key pair that Altus creates has the prefix CLOUDERA.
Supported AWS Regions
|us-east-1||US East (N. Virginia) Region|
|us-east-2||US East (Ohio) Region|
|us-west-1||US West (N. California) Region|
|us-west-2||US West (Oregon) Region|
|ap-south-1||Asia Pacific (Mumbai) Region|
|ap-northeast-1||Asia Pacific (Tokyo) Region|
|ap-northeast-2||Asia Pacific (Seoul) Region|
|ap-southeast-1||Asia Pacific (Singapore) Region|
|ap-southeast-2||Asia Pacific (Sydney) Region|
|ca-central-1||Canada (Central) Region|
|eu-central-1||EU (Frankfurt) Region|
|eu-west-1||EU (Ireland) Region|
|eu-west-2||EU (London) Region|
|sa-east-1||South America (São Paolo) Region|
When you create your AWS account, AWS sets limits to the resources available to you. The limits can vary by region. To view the limit set by Amazon for your account, log in to AWS and go to.
The EC2 Service Limits page lists the limits to the resources available to you in your EC2 instance, including limits to the number of instances and hosts.
The Networking Limits section on the page lists the VPC, subnet, and security group limits for your AWS account.
If you require more resources than the limit set by Amazon, you can request Amazon to raise the limit of a resource. On the EC2 Service Limits page, click Request limit increase for the resource that you want to increase and create an AWS support case for a Service Limit Increase.