- CheckMates
- :
- Products
- :
- CloudMates Products
- :
- Cloud Network Security
- :
- Discussion
- :
- Re: AWS IAM User Account Permissions
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
AWS IAM User Account Permissions
Hello,
What are the minimum AWS IAM user account permissions required for deploying a single gateway and cluster via Terraform?
Regards,
Simon
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Simon,
While we are working to prepare the detailed minimum required permissions for IAM user in general there should be
For Gateway:
1. Read + Write permissions for EC2
2. Read + Write permissions for VPC
3. Read permissions for S3
For Cluster:
1. Read + Write permissions for EC2
2. Read + Write permissions for VPC
3. Read + Write permissions for IAM
4. Read permissions for S3
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Simon,
While we are working to prepare the detailed minimum required permissions for IAM user in general there should be
For Gateway:
1. Read + Write permissions for EC2
2. Read + Write permissions for VPC
3. Read permissions for S3
For Cluster:
1. Read + Write permissions for EC2
2. Read + Write permissions for VPC
3. Read + Write permissions for IAM
4. Read permissions for S3
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Roman_Kats
Once created, can you please post the location to the reference document where the minimum required permissions for an IAM user will been outlined.
Regards,
Simon
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Simon_Macpherso
Yes, I will
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Roman_Kats Any update?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Simon,
Apologies for the delayed response.
The minimum AWS IAM user account permissions required for deploying a single gateway and cluster using Terraform are (attached are the Permissions policies JSON files for each deployment):
Template |
Premmision |
cluster-master |
ec2:DescribeTags ec2:ReleaseAddress ec2:DescribeInstanceAttribute ec2:DeleteSecurityGroup ec2:DescribeInstances ec2:DescribeVpcs ec2:DescribeRouteTables ec2:CreateLocalGatewayRouteTable ec2:TerminateInstances ec2:CreateTags ec2:DescribeVolumes ec2:ModifyNetworkInterfaceAttribute ec2:DetachInternetGateway ec2:DisassociateAddress ec2:CreateInternetGateway ec2:DeleteVpc ec2:DeleteInternetGateway ec2:AttachInternetGateway ec2:DescribeInternetGateways ec2:ModifySubnetAttribute ec2:RevokeSecurityGroupEgress ec2:DeleteNetworkInterface ec2:DescribeInstanceTypes ec2:DescribeVpcClassicLinkDnsSupport ec2:RunInstances ec2:DeleteRouteTable ec2:DeleteSubnet ec2:ModifyVpcAttribute ec2:AssociateRouteTable ec2:DescribeAvailabilityZones ec2:AuthorizeSecurityGroupIngress ec2:CreateRoute ec2:AssociateAddress ec2:DescribeSubnets ec2:DescribeVpcClassicLink ec2:CreateSubnet ec2:DetachNetworkInterface ec2:CreateSecurityGroup ec2:DescribeAddresses ec2:DescribeVpcAttribute ec2:DisassociateRouteTable ec2:DescribeSecurityGroups ec2:DescribeRegions ec2:DeleteRoute ec2:DescribeKeyPairs ec2:DescribeNetworkAcls ec2:AttachNetworkInterface ec2:CreateNetworkInterface ec2:AuthorizeSecurityGroupEgress ec2:CreateVpc ec2:AllocateAddress ec2:CreateRouteTable ec2:DescribeAccountAttributes ec2:DescribeNetworkInterfaces cloudformation:DescribeStacks cloudformation:DeleteStack cloudformation:ValidateTemplate cloudformation:CreateStack cloudformation:ListStackResources iam:ListInstanceProfilesForRole iam:AttachRolePolicy iam:DeletePolicy iam:DetachRolePolicy iam:GetPolicy iam:DeleteRole iam:GetInstanceProfile iam:ListRolePolicies iam:CreatePolicy iam:PutRolePolicy iam:CreateRole iam:CreateInstanceProfile iam:GetPolicyVersion iam:DeleteInstanceProfile iam:GetRole iam:DeleteRolePolicy iam:PassRole iam:AddRoleToInstanceProfile iam:ListAttachedRolePolicies iam:ListPolicyVersions iam:RemoveRoleFromInstanceProfile
|
cluster |
ec2:DisassociateRouteTable ec2:CreateTags ec2:DeleteSecurityGroup ec2:ModifyNetworkInterfaceAttribute ec2:DescribeVpcs ec2:AssociateRouteTable ec2:DeleteNetworkInterface ec2:DeleteRoute ec2:RevokeSecurityGroupEgress ec2:AssociateAddress ec2:AllocateAddress ec2:AuthorizeSecurityGroupIngress ec2:DisassociateAddress ec2:DescribeVolumes ec2:DescribeInstances ec2:DescribeAddresses ec2:DescribeInstanceAttribute ec2:AuthorizeSecurityGroupEgress ec2:CreateRoute ec2:DescribeTags ec2:DescribeKeyPairs ec2:DetachNetworkInterface ec2:DescribeInstanceTypes ec2:CreateSecurityGroup ec2:ReleaseAddress ec2:RunInstances ec2:DescribeRouteTables ec2:DescribeSecurityGroups ec2:CreateNetworkInterface ec2:DescribeNetworkInterfaces ec2:TerminateInstances ec2:DescribeSubnets iam:ListAttachedRolePolicies iam:AddRoleToInstanceProfile iam:DeleteInstanceProfile iam:CreateRole iam:CreatePolicy iam:GetRole iam:GetInstanceProfile iam:DeletePolicy iam:ListRolePolicies iam:DeleteRole iam:ListPolicyVersions iam:PutRolePolicy iam:DetachRolePolicy iam:DeleteRolePolicy iam:CreateInstanceProfile iam:GetPolicyVersion iam:AttachRolePolicy iam:RemoveRoleFromInstanceProfile iam:ListInstanceProfilesForRole iam:GetPolicy iam:PassRole cloudformation:ListStackResources cloudformation:CreateStack cloudformation:DescribeStacks cloudformation:DeleteStack cloudformation:ValidateTemplate |
gateway-master |
ec2:DisassociateRouteTable ec2:CreateTags ec2:CreateSubnet ec2:DeleteSecurityGroup ec2:ModifyNetworkInterfaceAttribute ec2:AssociateRouteTable ec2:AttachInternetGateway ec2:DescribeVpcs ec2:CreateInternetGateway ec2:DeleteNetworkInterface ec2:DeleteRoute ec2:CreateLocalGatewayRouteTable ec2:RevokeSecurityGroupEgress ec2:AssociateAddress ec2:DescribeNetworkAcls ec2:AllocateAddress ec2:AuthorizeSecurityGroupIngress ec2:DeleteVpc ec2:DisassociateAddress ec2:DescribeAvailabilityZones ec2:DescribeVolumes ec2:DescribeInstances ec2:DescribeAddresses ec2:DescribeInternetGateways ec2:DescribeInstanceAttribute ec2:CreateVpc ec2:DeleteVolume ec2:AuthorizeSecurityGroupEgress ec2:ModifyVpcAttribute ec2:CreateRoute ec2:DescribeTags ec2:AttachNetworkInterface ec2:DescribeRegions ec2:DescribeKeyPairs ec2:DeleteSubnet ec2:DetachNetworkInterface ec2:DescribeInstanceTypes ec2:DescribeVpcClassicLinkDnsSupport ec2:DescribeAccountAttributes ec2:DeleteRouteTable ec2:CreateSecurityGroup ec2:ReleaseAddress ec2:RunInstances ec2:DescribeVpcClassicLink ec2:CreateRouteTable ec2:DescribeRouteTables ec2:DescribeSecurityGroups ec2:DetachInternetGateway ec2:CreateNetworkInterface ec2:DeleteInternetGateway ec2:DescribeNetworkInterfaces ec2:DescribeVpcAttribute ec2:TerminateInstances ec2:DescribeSubnets ec2:ModifySubnetAttribute iam:AddRoleToInstanceProfile iam:DeleteInstanceProfile iam:CreateRole iam:GetRole iam:DeleteRole iam:PutRolePolicy iam:DeleteRolePolicy iam:CreateInstanceProfile iam:RemoveRoleFromInstanceProfile cloudformation:ListStackResources cloudformation:CreateStack cloudformation:DescribeStacks cloudformation:DeleteStack cloudformation:ValidateTemplate |
gateway |
ec2:CreateTags ec2:DeleteSecurityGroup ec2:ModifyNetworkInterfaceAttribute ec2:DescribeVpcs ec2:DeleteNetworkInterface ec2:DeleteRoute ec2:RevokeSecurityGroupEgress ec2:AssociateAddress ec2:AllocateAddress ec2:AuthorizeSecurityGroupIngress ec2:DisassociateAddress ec2:DescribeVolumes ec2:DescribeInstances ec2:DescribeAddresses ec2:DescribeInstanceAttribute ec2:AuthorizeSecurityGroupEgress ec2:CreateRoute ec2:DescribeTags ec2:DescribeKeyPairs ec2:DetachNetworkInterface ec2:DescribeInstanceTypes ec2:CreateSecurityGroup ec2:ReleaseAddress ec2:RunInstances ec2:DescribeRouteTables ec2:DescribeSecurityGroups ec2:CreateNetworkInterface ec2:DescribeNetworkInterfaces ec2:TerminateInstances ec2:DescribeSubnets iam:AddRoleToInstanceProfile iam:DeleteInstanceProfile iam:CreateRole iam:DeleteRole iam:PutRolePolicy iam:DeleteRolePolicy iam:CreateInstanceProfile iam:RemoveRoleFromInstanceProfile cloudformation:ListStackResources cloudformation:CreateStack cloudformation:DescribeStacks cloudformation:DeleteStack cloudformation:ValidateTemplate |
Regards,
Yizhak O.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Yizhak O.