The Hub integrates with several Amazon Web Services API's to provide utility, such as deploying cloud servers and seamless backup integration on your behalf. For this, authorization is required.
The most secure way of authorizing a 3rd party app like the Hub to provide you with services on Amazon's cloud is via AWS Identity and Access Management (IAM) roles with limited permissions. The Hub does not need long-living API keys (such as root or IAM user API keys), and we do not recommend sharing said keys with 3rd parties. Instead, the Hub uses the AWS Secure Token Service to attain temporary, limited access to perform its job.
Additionally, we recommend enabling AWS CloudTrail, which logs all API calls that use your account credentials. This would allow identification of actions the Hub performs on your behalf.
If you're unfamiliar with the above jargon, not to worry, the Hub will walk you through the process.
Users who registered their Amazon Account prior to the Hub supporting IAM can migrate here.
Denying the Hub access to certain resources
If you have AWS resources such as instances, volumes or snapshots not
created or managed via the Hub, and would like to keep it that way, we'll
show you how.
By applying the following add-on policy to the turnkeyhub role,
you'll be able to deny access to any resource by just tagging it.
What this does is deny the role access to any EC2 resource that is tagged
with turnkeyhub=no, as well as deny access to DeleteTags/CreateTags,
which would essentially allow bypassing the tag restriction.
How to increase AWS limits
Amazon impose initial limits on several of its resources in order to
discourage inappropriate consumption. Although each AWS account has several
default resource limitations, you can request an increase or removal of
Amazon periodically lowers pricing. There's no API for that so when it
happens we have to update the Hub by hand. If there is a pricing discrepancy,
the price on Amazon's web site is what you will be billed.
When clicking Try the demo, a new user is created and fleshed out
simulating a real user account. The difference though, is that all API calls
to Amazon are routed to our dummy implementation of Amazon's API.
This means, all servers and assets are fake and don't exist in
As much as we'd like to provide a real live experience of the Hub linked
to a real Amazon account, the costs involved would be above our budget.
Instead, the Hub provides free plans for
both Cloud deployment and Backup and Migration allowing you to try before you