Runtime Environments > Elastic runtime environments > IAM policy reference
  

IAM policy reference

The policy reference describes the statements in the cluster installer and worker policies so that you can understand the level of access that the cluster installer and worker roles have in your AWS environment.

Cluster installer policy statements

Use the statement descriptions in the cluster installer policy to understand the level of access that the cluster installer has in your AWS environment. The cluster installer policy includes the permissions that the cluster installer needs to deploy an elastic runtime environment.

Auto Scaling

The following statement allows full management of Auto Scaling groups:
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"autoscaling:AttachLoadBalancers",
"autoscaling:UpdateAutoScalingGroup",
"autoscaling:DeleteAutoScalingGroup",
"autoscaling:TerminateInstanceInAutoScalingGroup",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:CreateAutoScalingGroup",
"autoscaling:DescribeScalingActivities",
"autoscaling:DescribeTags"
],
"Resource": "*"
},

Viewing EC2 instances

The following statement provides read-only access to describe all EC2 resources:
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "ec2:Describe*",
"Resource": "*"
},

Launching EC2 instances

The following statement allows the role to launch EC2 instances:
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:*:{{account-id}}:security-group/*",
"arn:aws:ec2:*:{{account-id}}:network-interface/*",
"arn:aws:ec2:*:{{account-id}}:launch-template/*",
"arn:aws:ec2:*::snapshot/*",
"arn:aws:ec2:*:{{account-id}}:instance/*",
"arn:aws:ec2:*:{{account-id}}:key-pair/*",
"arn:aws:ec2:*:{{account-id}}:volume/*",
"arn:aws:ec2:*:{{account-id}}:subnet/*",
"arn:aws:ec2:*::image/*"
]
},

Creating EC2-related resources

The following statement allows the role to create EC2-related resources:
{
"Sid": "VisualEditor3",
"Effect": "Allow",
"Action": [
"ec2:CreateKeyPair",
"ec2:CreateTags",
"ec2:CreateRouteTable",
"ec2:CreateImage",
"ec2:CreateVolume",
"ec2:CreateNetworkInterface",
"ec2:CreateLaunchTemplate",
"ec2:CreateSecurityGroup",
"ec2:CreateInternetGateway",
"ec2:CreateSnapshot",
"ec2:AssociateSubnetCidrBlock",
"ec2:CreateSubnet"
],
"Resource": [
"arn:aws:ec2:*:{{account-id}}:security-group/*",
"arn:aws:ec2:*:{{account-id}}:network-interface/*",
"arn:aws:ec2:*:{{account-id}}:internet-gateway/*",
"arn:aws:ec2:*:{{account-id}}:launch-template/*",
"arn:aws:ec2:*:{{account-id}}:instance/*",
"arn:aws:ec2:*:{{account-id}}:security-group-rule/*",
"arn:aws:ec2:*::snapshot/*",
"arn:aws:ec2:{{region}}:{{account-id}}:route-table/*",
"arn:aws:ec2:*:{{account-id}}:subnet/*",
"arn:aws:ec2:*:{{account-id}}:volume/*",
"arn:aws:ec2:*:{{account-id}}:import-snapshot-task/*",
"arn:aws:ec2:*::image/*",
"arn:aws:ec2:*:{{account-id}}:key-pair/*"
]
},

Managing EC2-related resources

The following statement allows the role to manage EC2-related resources:
{
"Sid": "VisualEditor4",
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:ReplaceRouteTableAssociation",
"ec2:DeleteTags",
"ec2:AttachInternetGateway",
"ec2:DeleteRouteTable",
"ec2:AssociateRouteTable",
"ec2:DeleteVolume",
"ec2:StartInstances",
"ec2:CreateRoute",
"ec2:RevokeSecurityGroupEgress",
"ec2:ModifyVpcAttribute",
"ec2:DeleteInternetGateway",
"ec2:DeleteLaunchTemplateVersions",
"ec2:ModifyInstanceAttribute",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:DeleteLaunchTemplate",
"ec2:TerminateInstances",
"ec2:ImportKeyPair",
"ec2:CreateTags",
"ec2:ImportSnapshot",
"ec2:DeleteRoute",
"ec2:DetachInternetGateway",
"ec2:StopInstances",
"ec2:DisassociateRouteTable",
"ec2:CreateLaunchTemplateVersion",
"ec2:RevokeSecurityGroupIngress",
"ec2:DeleteSecurityGroup",
"ec2:ModifyLaunchTemplate",
"ec2:DeleteKeyPair",
"ec2:AssociateIamInstanceProfile"
],
"Resource": "*"
},

Tagging EC2-related resources

The following statement allows the role to tag EC2-related resources:
{
"Sid": "VisualEditor5",
"Effect": "Allow",
"Action": "ec2:CreateTags",
"Resource": [
"arn:aws:ec2:*:{{account-id}}:network-interface/*",
"arn:aws:ec2:*:{{account-id}}:key-pair/*",
"arn:aws:ec2:*:{{account-id}}:launch-template/*",
"arn:aws:ec2:*:{{account-id}}:instance/*",
"arn:aws:ec2:{{region}}:{{account-id}}:route-table/*",
"arn:aws:ec2:*:{{account-id}}:volume/*",
"arn:aws:ec2:*:{{account-id}}:subnet/*"
],
"Condition": {
"StringEquals": {
"ec2:CreateAction": [
"CreateVolume",
"RunInstances",
"CreateSecurityGroup",
"CreateKeyPair",
"CreateLaunchTemplate",
"CreateLaunchTemplateVersion",
"network-interface",
"CreateTags",
"CreateSubnet",
"CreateAutoScalingGroup",
"CreateRouteTable"
]
}
}
},

Creating security groups in the VPC

The following statement allows the role to create security groups in the VPC:
{
"Sid": "VisualEditor6",
"Effect": "Allow",
"Action": "ec2:CreateSecurityGroup",
"Resource": "arn:aws:ec2:*:{{account-id}}:vpc/*"
},

Creating security groups for resources

The following statement allows the role to create security groups and tags for the specified resources:
{
"Sid": "VisualEditor7",
"Effect": "Allow",
"Action": [
"ec2:CreateSecurityGroup",
"ec2:CreateTags"
],
"Resource": [
"arn:aws:ec2:*:{{account-id}}:security-group/*",
"arn:aws:ec2:*:{{account-id}}:network-interface/*",
"arn:aws:ec2:*:{{account-id}}:launch-template/*",
"arn:aws:ec2:*:{{account-id}}:elastic-ip/*",
"arn:aws:ec2:*::snapshot/*"
]
},

Managing subnets and route tables

The following statement allows the role to manage subnets and route tables in the VPC:
{
"Sid": "VisualEditor8",
"Effect": "Allow",
"Action": [
"ec2:DeleteSubnet",
"ec2:CreateTags",
"ec2:CreateRouteTable",
"ec2:AssociateSubnetCidrBlock",
"ec2:CreateSubnet"
],
"Resource": [
"arn:aws:ec2:{{region}}:{{account-id}}:vpc/{{VPC_ID}}",
"arn:aws:ec2:{{region}}:{{account-id}}:route-table/*",
"arn:aws:ec2:*:{{account-id}}:subnet/*"
]
},

Creating EBS volumes and snapshots

The following statement allows the role to create EBS volumes from snapshots:
{
"Sid": "VisualEditor9",
"Effect": "Allow",
"Action": "ec2:CreateVolume",
"Resource": "arn:aws:ec2:*::snapshot/*"
},

Mounting EFS resources

The following statement allows the role to create mount targets for an EFS file system:
{
"Sid": "VisualEditor10",
"Effect": "Allow",
"Action": [
"elasticfilesystem:CreateMountTarget",
"elasticfilesystem:Describe*"
],
"Resource": "*"
},

Managing EFS file systems

The following statement allows the role to create EFS file systems and access points and to tag EFS resources:
{
"Sid": "VisualEditor11",
"Effect": "Allow",
"Action": [
"elasticfilesystem:CreateFileSystem",
"elasticfilesystem:CreateAccessPoint",
"elasticfilesystem:CreateTags"
],
"Resource": "*"
},

Passing role information to EC2 instances

The following statement allows the cluster installer to pass role details to AWS services like EC2 so they can assume the permissions:
{
"Sid": "VisualEditor13",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": [
"arn:aws:iam::{{account-id}}:role/{{cluster-installer-role}}",
"arn:aws:iam::{{account-id}}:role/{{worker-node-role}}"
]
},

Decoding authorization errors

The following statement allows the role to decode AWS authorization error messages:
{
"Sid": "VisualEditor14",
"Effect": "Allow",
"Action": "sts:DecodeAuthorizationMessage",
"Resource": "*"
},

Managing Elastic Load Balancing

The following statement allows the role to manage Elastic Load Balancing:
{
"Sid": "VisualEditor19",
"Effect": "Allow",
"Action": "elasticloadbalancing:*",
"Resource": [
"arn:aws:elasticloadbalancing:*:{{account-id}}:targetgroup/*",
"arn:aws:elasticloadbalancing:*:{{account-id}}:listener/*",
"arn:aws:elasticloadbalancing:*:{{account-id}}:listener/app/*",
"arn:aws:elasticloadbalancing:*:{{account-id}}:listener-rule/app/*",
"arn:aws:elasticloadbalancing:*:{{account-id}}:listener/net/*",
"arn:aws:elasticloadbalancing:*:{{account-id}}:listener-rule/net/*",
"arn:aws:elasticloadbalancing:*:{{account-id}}:loadbalancer/*",
"arn:aws:elasticloadbalancing:*:{{account-id}}:loadbalancer/app/*",
"arn:aws:elasticloadbalancing:*:{{account-id}}:loadbalancer/net/*"
]
},

Managing secrets

The following statement grants full access to AWS Secrets Manager:
{
"Sid": "VisualEditor21",
"Effect": "Allow",
"Action": "secretsmanager:*",
"Resource": "arn:aws:secretsmanager:*:{{account-id}}:secret:*"
},
{

Creating service-linked roles

The following statement allows the cluster installer to create service-linked roles:
{
"Sid": "VisualEditor22",
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "*"
},

Viewing Elastic Load Balancing

The following statement allows the role to view load balancer details and health checks:
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeInstanceHealth"
],
"Resource": "*"
}

Worker policy statements

Use the statement descriptions in the worker policy to understand the level of access that the worker nodes have in your AWS environment. The worker policy includes the permissions that worker nodes need to process data in an elastic runtime environment.

Viewing resources

The following statement allows the role to view the specified resources:
{
"Sid": "DescribeActions",
"Effect": "Allow",
"Action": [
"elasticfilesystem:DescribeAccessPoints",
"elasticfilesystem:DescribeFileSystems",
"elasticfilesystem:DescribeMountTargets",
"ec2:DescribeAvailabilityZones",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeAutoScalingInstances",
"autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeTags",
"ec2:DescribeInstances",
"ec2:DescribeLaunchTemplateVersions",
"ec2:DescribeTags"
],
"Resource": "*"
},

Auto Scaling

The following statement allows the role to modify the number and lifecycle of instances in Auto Scaling groups:
{
"Sid": "AutoscalingCapacity",
"Effect": "Allow",
"Action": [
"autoscaling:SetDesiredCapacity",
"autoscaling:TerminateInstanceInAutoScalingGroup"
],
"Resource": "*"
},

Getting secrets

The following statement allows the role to read secrets in AWS Secrets Manager:
{
"Sid": "SecretsManagerAccess",
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": "*"
}