This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Simon_Macpherso
Advisor
‎2023-07-23 10:20 PM
Jump to solution

AWS IAM User Account Permissions

Hello,

What are the minimum AWS IAM user account permissions required for deploying a single gateway and cluster via Terraform?

Regards,

Simon

0 Kudos
1 Solution

Accepted Solutions
Roman_Kats
Employee
Employee
‎2023-07-24 08:33 AM
Jump to solution

Hello Simon,
While we are working to prepare the detailed minimum required permissions for IAM user  in general there should be

For Gateway:
1. Read + Write permissions for EC2 

2. Read + Write permissions for VPC

3. Read permissions for S3

For Cluster:
1. Read + Write permissions for EC2 

2. Read + Write permissions for VPC

3. Read + Write permissions for IAM

4. Read permissions for S3  

View solution in original post

0 Kudos
6 Replies
Roman_Kats
Employee
Employee
‎2023-07-24 08:33 AM
Jump to solution

Hello Simon,
While we are working to prepare the detailed minimum required permissions for IAM user  in general there should be

For Gateway:
1. Read + Write permissions for EC2 

2. Read + Write permissions for VPC

3. Read permissions for S3

For Cluster:
1. Read + Write permissions for EC2 

2. Read + Write permissions for VPC

3. Read + Write permissions for IAM

4. Read permissions for S3  

0 Kudos
Simon_Macpherso
Advisor
‎2023-07-24 04:54 PM
In response to Roman_Kats
Jump to solution

Hi @Roman_Kats

Once created, can you please post the location to the reference document where the minimum required permissions for an IAM user will been outlined.

Regards,

Simon

 

0 Kudos
Roman_Kats
Employee
Employee
‎2023-07-25 02:19 AM
In response to Simon_Macpherso
Jump to solution

@Simon_Macpherso 
Yes, I will

0 Kudos
Simon_Macpherso
Advisor
‎2023-09-14 10:53 PM
In response to Roman_Kats
Jump to solution

@Roman_Kats Any update? 

0 Kudos
yizhako
Employee
Employee
‎2023-11-12 07:05 AM
In response to Simon_Macpherso
Jump to solution

Hello Simon,

Apologies for the delayed response.

The minimum AWS IAM user account permissions required for deploying a single gateway and cluster using Terraform are (attached are the Permissions policies JSON files for each deployment):

Template

Premmision

cluster-master

ec2:DescribeTags

ec2:ReleaseAddress

ec2:DescribeInstanceAttribute

ec2:DeleteSecurityGroup

ec2:DescribeInstances

ec2:DescribeVpcs

ec2:DescribeRouteTables

ec2:CreateLocalGatewayRouteTable

ec2:TerminateInstances

ec2:CreateTags

ec2:DescribeVolumes

ec2:ModifyNetworkInterfaceAttribute

ec2:DetachInternetGateway

ec2:DisassociateAddress

ec2:CreateInternetGateway

ec2:DeleteVpc

ec2:DeleteInternetGateway

ec2:AttachInternetGateway

ec2:DescribeInternetGateways

ec2:ModifySubnetAttribute

ec2:RevokeSecurityGroupEgress

ec2:DeleteNetworkInterface

ec2:DescribeInstanceTypes

ec2:DescribeVpcClassicLinkDnsSupport

ec2:RunInstances

ec2:DeleteRouteTable

ec2:DeleteSubnet

ec2:ModifyVpcAttribute

ec2:AssociateRouteTable

ec2:DescribeAvailabilityZones

ec2:AuthorizeSecurityGroupIngress

ec2:CreateRoute

ec2:AssociateAddress

ec2:DescribeSubnets

ec2:DescribeVpcClassicLink

ec2:CreateSubnet

ec2:DetachNetworkInterface

ec2:CreateSecurityGroup

ec2:DescribeAddresses

ec2:DescribeVpcAttribute

ec2:DisassociateRouteTable

ec2:DescribeSecurityGroups

ec2:DescribeRegions

ec2:DeleteRoute

ec2:DescribeKeyPairs

ec2:DescribeNetworkAcls

ec2:AttachNetworkInterface

ec2:CreateNetworkInterface

ec2:AuthorizeSecurityGroupEgress

ec2:CreateVpc

ec2:AllocateAddress

ec2:CreateRouteTable

ec2:DescribeAccountAttributes

ec2:DescribeNetworkInterfaces

cloudformation:DescribeStacks

cloudformation:DeleteStack

cloudformation:ValidateTemplate

cloudformation:CreateStack

cloudformation:ListStackResources

iam:ListInstanceProfilesForRole

iam:AttachRolePolicy

iam:DeletePolicy

iam:DetachRolePolicy

iam:GetPolicy

iam:DeleteRole

iam:GetInstanceProfile

iam:ListRolePolicies

iam:CreatePolicy

iam:PutRolePolicy

iam:CreateRole

iam:CreateInstanceProfile

iam:GetPolicyVersion

iam:DeleteInstanceProfile

iam:GetRole

iam:DeleteRolePolicy

iam:PassRole

iam:AddRoleToInstanceProfile

iam:ListAttachedRolePolicies

iam:ListPolicyVersions

iam:RemoveRoleFromInstanceProfile

 

cluster

ec2:DisassociateRouteTable

ec2:CreateTags

ec2:DeleteSecurityGroup

ec2:ModifyNetworkInterfaceAttribute

ec2:DescribeVpcs

ec2:AssociateRouteTable

ec2:DeleteNetworkInterface

ec2:DeleteRoute

ec2:RevokeSecurityGroupEgress

ec2:AssociateAddress

ec2:AllocateAddress

ec2:AuthorizeSecurityGroupIngress

ec2:DisassociateAddress

ec2:DescribeVolumes

ec2:DescribeInstances

ec2:DescribeAddresses

ec2:DescribeInstanceAttribute

ec2:AuthorizeSecurityGroupEgress

ec2:CreateRoute

ec2:DescribeTags

ec2:DescribeKeyPairs

ec2:DetachNetworkInterface

ec2:DescribeInstanceTypes

ec2:CreateSecurityGroup

ec2:ReleaseAddress

ec2:RunInstances

ec2:DescribeRouteTables

ec2:DescribeSecurityGroups

ec2:CreateNetworkInterface

ec2:DescribeNetworkInterfaces

ec2:TerminateInstances

ec2:DescribeSubnets

iam:ListAttachedRolePolicies

iam:AddRoleToInstanceProfile

iam:DeleteInstanceProfile

iam:CreateRole

iam:CreatePolicy

iam:GetRole

iam:GetInstanceProfile

iam:DeletePolicy

iam:ListRolePolicies

iam:DeleteRole

iam:ListPolicyVersions

iam:PutRolePolicy

iam:DetachRolePolicy

iam:DeleteRolePolicy

iam:CreateInstanceProfile

iam:GetPolicyVersion

iam:AttachRolePolicy

iam:RemoveRoleFromInstanceProfile

iam:ListInstanceProfilesForRole

iam:GetPolicy

iam:PassRole

cloudformation:ListStackResources

cloudformation:CreateStack

cloudformation:DescribeStacks

cloudformation:DeleteStack

cloudformation:ValidateTemplate

gateway-master

ec2:DisassociateRouteTable

ec2:CreateTags

ec2:CreateSubnet

ec2:DeleteSecurityGroup

ec2:ModifyNetworkInterfaceAttribute

ec2:AssociateRouteTable

ec2:AttachInternetGateway

ec2:DescribeVpcs

ec2:CreateInternetGateway

ec2:DeleteNetworkInterface

ec2:DeleteRoute

ec2:CreateLocalGatewayRouteTable

ec2:RevokeSecurityGroupEgress

ec2:AssociateAddress

ec2:DescribeNetworkAcls

ec2:AllocateAddress

ec2:AuthorizeSecurityGroupIngress

ec2:DeleteVpc

ec2:DisassociateAddress

ec2:DescribeAvailabilityZones

ec2:DescribeVolumes

ec2:DescribeInstances

ec2:DescribeAddresses

ec2:DescribeInternetGateways

ec2:DescribeInstanceAttribute

ec2:CreateVpc

ec2:DeleteVolume

ec2:AuthorizeSecurityGroupEgress

ec2:ModifyVpcAttribute

ec2:CreateRoute

ec2:DescribeTags

ec2:AttachNetworkInterface

ec2:DescribeRegions

ec2:DescribeKeyPairs

ec2:DeleteSubnet

ec2:DetachNetworkInterface

ec2:DescribeInstanceTypes

ec2:DescribeVpcClassicLinkDnsSupport

ec2:DescribeAccountAttributes

ec2:DeleteRouteTable

ec2:CreateSecurityGroup

ec2:ReleaseAddress

ec2:RunInstances

ec2:DescribeVpcClassicLink

ec2:CreateRouteTable

ec2:DescribeRouteTables

ec2:DescribeSecurityGroups

ec2:DetachInternetGateway

ec2:CreateNetworkInterface

ec2:DeleteInternetGateway

ec2:DescribeNetworkInterfaces

ec2:DescribeVpcAttribute

ec2:TerminateInstances

ec2:DescribeSubnets

ec2:ModifySubnetAttribute

iam:AddRoleToInstanceProfile

iam:DeleteInstanceProfile

iam:CreateRole

iam:GetRole

iam:DeleteRole

iam:PutRolePolicy

iam:DeleteRolePolicy

iam:CreateInstanceProfile

iam:RemoveRoleFromInstanceProfile

cloudformation:ListStackResources

cloudformation:CreateStack

cloudformation:DescribeStacks

cloudformation:DeleteStack

cloudformation:ValidateTemplate

gateway

ec2:CreateTags

ec2:DeleteSecurityGroup

ec2:ModifyNetworkInterfaceAttribute

ec2:DescribeVpcs

ec2:DeleteNetworkInterface

ec2:DeleteRoute

ec2:RevokeSecurityGroupEgress

ec2:AssociateAddress

ec2:AllocateAddress

ec2:AuthorizeSecurityGroupIngress

ec2:DisassociateAddress

ec2:DescribeVolumes

ec2:DescribeInstances

ec2:DescribeAddresses

ec2:DescribeInstanceAttribute

ec2:AuthorizeSecurityGroupEgress

ec2:CreateRoute

ec2:DescribeTags

ec2:DescribeKeyPairs

ec2:DetachNetworkInterface

ec2:DescribeInstanceTypes

ec2:CreateSecurityGroup

ec2:ReleaseAddress

ec2:RunInstances

ec2:DescribeRouteTables

ec2:DescribeSecurityGroups

ec2:CreateNetworkInterface

ec2:DescribeNetworkInterfaces

ec2:TerminateInstances

ec2:DescribeSubnets

iam:AddRoleToInstanceProfile

iam:DeleteInstanceProfile

iam:CreateRole

iam:DeleteRole

iam:PutRolePolicy

iam:DeleteRolePolicy

iam:CreateInstanceProfile

iam:RemoveRoleFromInstanceProfile

cloudformation:ListStackResources

cloudformation:CreateStack

cloudformation:DescribeStacks

cloudformation:DeleteStack

cloudformation:ValidateTemplate

 

 

Regards,

Yizhak O.

 

 

gateway.json
cluster.json
cluster-master.json
gateway-master.json
Simon_Macpherso
Advisor
‎2023-11-13 10:26 PM
In response to yizhako
Jump to solution

Thanks Yizhak O.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
UPCOMING CLOUDMATES EVENTS
    All CloudMates Events