Runtime Environments > Elastic runtime environments > IAM policy reference
  

IAM policy reference

The policy reference describes the statements in the cluster installer and worker policies so that you can understand the level of access that the cluster installer and worker roles have in your AWS environment.

Cluster installer policy statements

Use the statement descriptions in the cluster installer policy to understand the level of access that the cluster installer has in your AWS environment. The cluster installer policy includes the permissions that the cluster installer needs to deploy an elastic runtime environment.

Auto Scaling

The following statement allows the role to manage Auto Scaling groups:
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"autoscaling:CreateAutoScalingGroup",
"autoscaling:DeleteAutoScalingGroup",
"autoscaling:TerminateInstanceInAutoScalingGroup",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeScalingActivities",
"autoscaling:DescribeTags",
"autoscaling:UpdateAutoScalingGroup",
"autoscaling:CreateOrUpdateTags",
"autoscaling:DeleteTags",
"autoscaling:DescribeAutoScalingInstances",
"autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeLifecycleHooks",
"autoscaling:ResumeProcesses",
"autoscaling:SetDesiredCapacity",
"autoscaling:SuspendProcesses"
],
"Resource": "*"
},

Describing EC2 resources and managing security groups

The following statement allows the role to describe and update attributes of EC2 resources and authorize security group ingress:
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"ec2:DescribeAvailabilityZones",
"ec2:DescribeImages",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeInstances",
"ec2:DescribeInstanceTypes",
"ec2:DescribeSecurityGroups",
"ec2:DescribeLaunchTemplateVersions",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeTags",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:DeleteLaunchTemplate",
"ec2:ModifyInstanceAttribute",
"ec2:DescribeVpcs"
],
"Resource": "*"
},

Running EC2 instances

The following statement allows the role to run EC2 instances:
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": "*"
},

Creating keys, tags, and launch templates

The following statement allows the role to create keys, tags, and launch templates:
{
"Sid": "VisualEditor3",
"Effect": "Allow",
"Action": [
"ec2:CreateKeyPair",
"ec2:CreateTags",
"ec2:CreateLaunchTemplate"
],
"Resource": [
"arn:aws:ec2:*:<AWS account ID>:security-group/*",
"arn:aws:ec2:*:<AWS account ID>:network-interface/*",
"arn:aws:ec2:*:<AWS account ID>:launch-template/*",
"arn:aws:ec2:*:<AWS account ID>:instance/*",
"arn:aws:ec2:*:<AWS account ID>:subnet/*",
"arn:aws:ec2:*:<AWS account ID>:volume/*",
"arn:aws:ec2::*::image/*",
"arn:aws:ec2:*:<AWS account ID>:key-pair/*"
]
},

Tagging EC2 resources

The following statement provides conditional permissions to create tags on EC2 resources:
{
"Sid": "VisualEditor5",
"Effect": "Allow",
"Action": "ec2:CreateTags",
"Resource": [
"arn:aws:ec2:*:<AWS account ID>:network-interface/*",
"arn:aws:ec2:*:<AWS account ID>:key-pair/*",
"arn:aws:ec2:*:<AWS account ID>:launch-template/*",
"arn:aws:ec2:*:<AWS account ID>:instance/*",
"arn:aws:ec2:*:<AWS account ID>:volume/*",
"arn:aws:ec2:*:<AWS account ID>:subnet/*"
],
"Condition": {
"StringEquals": {
"ec2:CreateAction": [
"RunInstances",
"CreateKeyPair",
"CreateLaunchTemplate",
"CreateLaunchTemplateVersion",
"network-interface",
"CreateTags",
"CreateAutoScalingGroup"
]
}
}
},

Passing role information to AWS services

The following statement allows the cluster installer to pass role details to AWS services so they can assume the permissions:
{
"Sid": "VisualEditor13",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": [
"arn:aws:iam::<AWS account ID>:role/<cluster installer role>",
"arn:aws:iam::<AWS account ID>:role/<worker role>"
]
},

AWS Secrets Manager

The following statement allows the role to manage secrets in AWS Secrets Manager:
{
"Sid": "VisualEditor21",
"Effect": "Allow",
"Action": [
"secretsmanager:DescribeSecret",
"secretsmanager:GetSecretValue",
"secretsmanager:ListSecrets",
"secretsmanager:CreateSecret",
"secretsmanager:TagResource",
"secretsmanager:DeleteSecret",
"secretsmanager:UpdateSecret"
],
"Resource": "arn:aws:secretsmanager:*:<AWS account ID>:secret:*"
},

Managing EFS file systems

The following statement allows the role to manage EFS file systems:
{
"Sid": "VisualEditor10",
"Effect": "Allow",
"Action": [
"elasticfilesystem:CreateMountTarget",
"elasticfilesystem:DescribeAccessPoints",
"elasticfilesystem:DescribeFileSystems",
"elasticfilesystem:DescribeMountTargets"
],
"Resource": "*"
},

Describing subnets

The following statement provides read-only access to describe subnets:
{
"Sid": "VisualEditor11",
"Effect": "Allow",
"Action": [
"ec2:DescribeSubnets"
],
"Resource": "*"
},

EC2 management

The following statement provides EC2 management permissions:
{
"Sid": "EC2Management",
"Effect": "Allow",
"Action": [
"ec2:AssociateIamInstanceProfile",
"ec2:CreateKeyPair",
"ec2:CreateLaunchTemplate",
"ec2:CreateLaunchTemplateVersion",
"ec2:CreateTags",
"ec2:DeleteLaunchTemplate",
"ec2:DeleteTags",
"ec2:ModifyLaunchTemplate",
"ec2:RunInstances",
"ec2:TerminateInstances",
"iam:PassRole"
],
"Resource": "*"
}

Worker policy statements

Use the statement descriptions in the worker policy to understand the level of access that the worker nodes have in your AWS environment. The worker policy includes the permissions that worker nodes need to process data in an elastic runtime environment.

Describing resources

The following statement provides read-only resource descriptions:
{
"Sid": "DescribeActions",
"Effect": "Allow",
"Action": [
"elasticfilesystem:DescribeMountTargets",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeAutoScalingInstances",
"autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeTags",
"ec2:DescribeInstances",
"ec2:DescribeLaunchTemplateVersions",
"ec2:DescribeTags",
"autoscaling:DescribeLifecycleHooks",
"autoscaling:DescribeScalingActivities",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeInstanceTypes",
"ec2:DescribeVpcs",
"secretsmanager:DescribeSecret",
"secretsmanager:ListSecrets"
],
"Resource": "*"
},

Auto Scaling

The following statement allows the role to manage Auto Scaling groups:
{
"Sid": "AutoscalingCapacity",
"Effect": "Allow",
"Action": [
"autoscaling:SetDesiredCapacity",
"autoscaling:TerminateInstanceInAutoScalingGroup",
"autoscaling:CreateAutoScalingGroup",
"autoscaling:CreateOrUpdateTags",
"autoscaling:DeleteAutoScalingGroup",
"autoscaling:DeleteTags",
"autoscaling:SuspendProcesses",
"autoscaling:UpdateAutoScalingGroup"
],
"Resource": "*"
},

Amazon EC2

The following statement allows the role to manage EC2 resources:
{
"Sid": "EC2Management",
"Effect": "Allow",
"Action": [
"ec2:AssociateIamInstanceProfile",
"ec2:CreateKeyPair",
"ec2:CreateLaunchTemplate",
"ec2:CreateLaunchTemplateVersion",
"ec2:CreateTags",
"ec2:DeleteLaunchTemplate",
"ec2:DeleteTags",
"ec2:ModifyLaunchTemplate",
"ec2:RunInstances",
"ec2:TerminateInstances",
"iam:PassRole"
],
"Resource": "*"
},

Amazon EFS

The following statement allows the role to create and delete access points on EFS file systems:
{
"Sid": "EFSManagement",
"Effect": "Allow",
"Action": [
"elasticfilesystem:CreateAccessPoint",
"elasticfilesystem:DeleteAccessPoint"
],
"Resource": "*"
},

AWS Secrets Manager

The following statement allows the role to access and update secrets in AWS Secrets Manager:
{
"Sid": "SecretsManagerAccess",
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue",
"secretsmanager:UpdateSecret"
],
"Resource": "*"
}