Policy Requirements for Cloud Resources

Objective

This document explains the various types of required policies that grant permissions for users to create or modify resources as part of deploying public cloud sites. The following list of public cloud provides are supported:

  • AWS
  • Azure
  • GCP

AWS Policies

The required policies are managed using the AWS IAM service. Log into AWS console and navigate to IAM dashboard. Select Access Management -> Users. Select a user for which the policies need to be applied to grant permissions for deploying AWS cloud resources. In the Permissions tab, click Add permissions to add the required permissions listed in the following chapters. You can open an attached group and select the JSON view to check and ensure that correct permissions are applied.

AWS VPC Site

The following is the JSON view of the required policy and permissions to deploy AWS VPC site:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "iam:UpdateAssumeRolePolicy",
                "iam:GetPolicyVersion",
                "elasticloadbalancing:ModifyListener",
                "ec2:AuthorizeSecurityGroupIngress",
                "elasticloadbalancing:RegisterTargets",
                "iam:RemoveRoleFromInstanceProfile",
                "iam:CreateRole",
                "iam:AttachRolePolicy",
                "iam:AddRoleToInstanceProfile",
                "ec2:ReplaceIamInstanceProfileAssociation",
                "ec2:ReplaceRoute",
                "ec2:DeleteRouteTable",
                "iam:DetachRolePolicy",
                "ec2:StartInstances",
                "iam:ListAttachedRolePolicies",
                "ec2:CreateRoute",
                "ec2:CreateInternetGateway",
                "ec2:RevokeSecurityGroupEgress",
                "ec2:DeleteInternetGateway",
                "iam:ListRolePolicies",
                "elasticloadbalancing:ModifyTargetGroupAttributes",
                "iam:GetRole",
                "iam:GetPolicy",
                "elasticloadbalancing:CreateTargetGroup",
                "iam:DeleteRole",
                "iam:UpdateRoleDescription",
                "ec2:RunInstances",
                "elasticloadbalancing:DeregisterTargets",
                "ec2:StopInstances",
                "ec2:RevokeSecurityGroupIngress",
                "ec2:CreateNetworkInterface",
                "ec2:DisassociateIamInstanceProfile",
                "elasticloadbalancing:AddTags",
                "ec2:CreateSubnet",
                "iam:CreateInstanceProfile",
                "iam:PutRolePermissionsBoundary",
                "ec2:CreateVpc",
                "iam:DeletePolicy",
                "iam:DeleteRolePermissionsBoundary",
                "iam:ListInstanceProfilesForRole",
                "elasticloadbalancing:RemoveTags",
                "iam:DeleteRolePolicy",
                "ec2:CreateSecurityGroup",
                "iam:CreatePolicyVersion",
                "iam:DeleteInstanceProfile",
                "ec2:AuthorizeSecurityGroupEgress",
                "ec2:TerminateInstances",
                "iam:GetInstanceProfile",
                "ec2:DeleteRoute",
                "elasticloadbalancing:DeleteTargetGroup",
                "iam:CreatePolicy",
                "iam:ListPolicyVersions",
                "ec2:ModifyInstanceCreditSpecification",
                "ec2:DeleteSecurityGroup",
                "iam:UpdateRole",
                "iam:DeletePolicyVersion",
                "ec2:AssociateIamInstanceProfile",
                "elasticloadbalancing:ModifyTargetGroup",
                "elasticloadbalancing:DeleteListener"
            ],
            "Resource": [
                "arn:aws:iam::438881987742:policy/*",
                "arn:aws:iam::438881987742:role/*",
                "arn:aws:iam::438881987742:instance-profile/*",
                "arn:aws:elasticloadbalancing:*:438881987742:listener-rule/app/*/*/*/*",
                "arn:aws:elasticloadbalancing:*:438881987742:listener/app/*/*/*",
                "arn:aws:elasticloadbalancing:*:438881987742:listener/net/*/*/*",
                "arn:aws:elasticloadbalancing:*:438881987742:listener-rule/net/*/*/*/*",
                "arn:aws:elasticloadbalancing:*:438881987742:targetgroup/*/*",
                "arn:aws:ec2:*:438881987742:subnet/*",
                "arn:aws:ec2:*:438881987742:vpc/*",
                "arn:aws:ec2:*:438881987742:instance/*",
                "arn:aws:ec2:*:438881987742:volume/*",
                "arn:aws:ec2:*:438881987742:internet-gateway/*",
                "arn:aws:ec2:*:438881987742:network-interface/*",
                "arn:aws:ec2:*:438881987742:security-group/*",
                "arn:aws:ec2:*::image/*",
                "arn:aws:ec2:*:438881987742:route-table/*"
            ]
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "ec2:DeleteSubnet",
                "ec2:ReplaceRouteTableAssociation",
                "ec2:DescribeInstances",
                "ec2:UnmonitorInstances",
                "ec2:MonitorInstances",
                "ec2:DescribeVolumesModifications",
                "ec2:AttachInternetGateway",
                "ec2:DisableVgwRoutePropagation",
                "ec2:AssociateVpcCidrBlock",
                "ec2:AssociateRouteTable",
                "ec2:DisassociateVpcCidrBlock",
                "ec2:DescribeInternetGateways",
                "elasticloadbalancing:DescribeLoadBalancers",
                "ec2:DescribeVolumes",
                "ec2:UnassignPrivateIpAddresses",
                "ec2:DescribeNetworkAcls",
                "ec2:DescribeRouteTables",
                "ec2:ModifyVolume",
                "ec2:DescribeVpcClassicLinkDnsSupport",
                "ec2:ModifyNetworkInterfaceAttribute",
                "ec2:CreateRouteTable",
                "ec2:DeleteNetworkInterface",
                "ec2:DetachInternetGateway",
                "ec2:AssignPrivateIpAddresses",
                "ec2:DisassociateRouteTable",
                "ec2:DescribeInstanceCreditSpecifications",
                "ec2:DescribeVpcClassicLink",
                "elasticloadbalancing:DescribeLoadBalancerAttributes",
                "ec2:GetPasswordData",
                "elasticloadbalancing:DescribeTargetGroupAttributes",
                "ec2:AssociateSubnetCidrBlock",
                "ec2:DeleteVpc",
                "ec2:AssociateAddress",
                "ec2:DescribeSubnets",
                "ec2:DisassociateAddress",
                "ec2:DescribeAddresses",
                "ec2:DescribeInstanceAttribute",
                "ec2:DescribeVpcAttribute",
                "ec2:ModifySubnetAttribute",
                "elasticloadbalancing:DescribeListeners",
                "ec2:DescribeNetworkInterfaces",
                "ec2:ModifyVpcAttribute",
                "ec2:ModifyInstanceAttribute",
                "ec2:ReleaseAddress",
                "ec2:ModifyInstanceMetadataOptions",
                "ec2:DetachNetworkInterface",
                "ec2:DescribeIamInstanceProfileAssociations",
                "ec2:DescribeTags",
                "ec2:DisassociateSubnetCidrBlock",
                "ec2:AllocateAddress",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeImages",
                "ec2:DescribeVpcs",
                "ec2:EnableVgwRoutePropagation",
                "elasticloadbalancing:DescribeTargetHealth",
                "elasticloadbalancing:DescribeTargetGroups",
                "ec2:AttachNetworkInterface"
            ],
            "Resource": "*"
        }
    ]
}
AWS TGW Site

The following is the JSON view of the required policy and permissions to deploy AWS Transit Gateway (TGW) site:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ec2:DeleteSubnet",
                "ec2:ReplaceRouteTableAssociation",
                "ec2:DescribeInstances",
                "ec2:UnmonitorInstances",
                "ec2:MonitorInstances",
                "ec2:DescribeVolumesModifications",
                "ec2:AttachInternetGateway",
                "ec2:DisableVgwRoutePropagation",
                "ec2:AssociateVpcCidrBlock",
                "ec2:AssociateRouteTable",
                "ec2:DisassociateVpcCidrBlock",
                "ec2:DescribeInternetGateways",
                "elasticloadbalancing:DescribeLoadBalancers",
                "ec2:SearchTransitGatewayRoutes",
                "ec2:DescribeVolumes",
                "ec2:UnassignPrivateIpAddresses",
                "ec2:DeleteVpnConnection",
                "ec2:DescribeNetworkAcls",
                "ec2:DescribeRouteTables",
                "ec2:ModifyVolume",
                "ec2:DescribeVpnConnections",
                "ec2:DescribeVpcClassicLinkDnsSupport",
                "ec2:ModifyNetworkInterfaceAttribute",
                "ec2:CreateRouteTable",
                "ec2:DeleteNetworkInterface",
                "ec2:CreateCustomerGateway",
                "ec2:DetachInternetGateway",
                "ec2:AssignPrivateIpAddresses",
                "ec2:DisassociateRouteTable",
                "ec2:DescribeInstanceCreditSpecifications",
                "ec2:DescribeVpcClassicLink",
                "elasticloadbalancing:DescribeLoadBalancerAttributes",
                "ec2:GetPasswordData",
                "ec2:DescribeTransitGatewayAttachments",
                "elasticloadbalancing:DescribeTargetGroupAttributes",
                "ec2:GetTransitGatewayRouteTablePropagations",
                "ec2:AssociateSubnetCidrBlock",
                "ec2:DeleteVpc",
                "ec2:DescribeSubnets",
                "ec2:AssociateAddress",
                "ec2:DisassociateAddress",
                "ec2:DescribeTransitGatewayPeeringAttachments",
                "ec2:DescribeAddresses",
                "ec2:DescribeInstanceAttribute",
                "ec2:DescribeTransitGateways",
                "ec2:DescribeVpcAttribute",
                "ec2:ModifySubnetAttribute",
                "elasticloadbalancing:DescribeListeners",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribeTransitGatewayRouteTables",
                "ec2:ModifyVpcAttribute",
                "ec2:ModifyInstanceAttribute",
                "ec2:GetTransitGatewayRouteTableAssociations",
                "ec2:ReleaseAddress",
                "ec2:ModifyInstanceMetadataOptions",
                "ec2:DetachNetworkInterface",
                "ec2:DescribeIamInstanceProfileAssociations",
                "ec2:DescribeTags",
                "ec2:DescribeCustomerGateways",
                "ec2:DisassociateSubnetCidrBlock",
                "ec2:AllocateAddress",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeImages",
                "ec2:DescribeVpcs",
                "ec2:EnableVgwRoutePropagation",
                "elasticloadbalancing:DescribeTargetHealth",
                "elasticloadbalancing:DescribeTargetGroups",
                "ec2:AttachNetworkInterface",
                "ec2:DescribeTransitGatewayVpcAttachments"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "elasticloadbalancing:RemoveTags",
                "elasticloadbalancing:AddTags"
            ],
            "Resource": [
                "arn:aws:elasticloadbalancing:*:438881987742:listener-rule/app/*/*/*/*",
                "arn:aws:elasticloadbalancing:*:438881987742:listener/app/*/*/*",
                "arn:aws:elasticloadbalancing:*:438881987742:listener/net/*/*/*",
                "arn:aws:elasticloadbalancing:*:438881987742:listener-rule/net/*/*/*/*",
                "arn:aws:elasticloadbalancing:*:438881987742:targetgroup/*/*"
            ]
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": [
                "iam:UpdateAssumeRolePolicy",
                "iam:GetPolicyVersion",
                "ec2:AuthorizeSecurityGroupIngress",
                "elasticloadbalancing:ModifyListener",
                "elasticloadbalancing:RegisterTargets",
                "iam:RemoveRoleFromInstanceProfile",
                "iam:CreateRole",
                "iam:AttachRolePolicy",
                "ec2:ReplaceRoute",
                "ec2:ReplaceIamInstanceProfileAssociation",
                "iam:AddRoleToInstanceProfile",
                "ec2:DeleteRouteTable",
                "iam:DetachRolePolicy",
                "ec2:StartInstances",
                "ec2:CreateRoute",
                "ec2:CreateInternetGateway",
                "ec2:RevokeSecurityGroupEgress",
                "iam:ListAttachedRolePolicies",
                "ec2:DeleteInternetGateway",
                "iam:ListRolePolicies",
                "elasticloadbalancing:ModifyTargetGroupAttributes",
                "iam:GetRole",
                "iam:GetPolicy",
                "ec2:CreateTags",
                "elasticloadbalancing:CreateTargetGroup",
                "ec2:RunInstances",
                "iam:DeleteRole",
                "iam:UpdateRoleDescription",
                "elasticloadbalancing:DeregisterTargets",
                "ec2:StopInstances",
                "ec2:RevokeSecurityGroupIngress",
                "ec2:CreateNetworkInterface",
                "ec2:CreateTransitGatewayVpcAttachment",
                "ec2:DisassociateIamInstanceProfile",
                "elasticloadbalancing:AddTags",
                "ec2:CreateSubnet",
                "iam:CreateInstanceProfile",
                "ec2:DeleteTags",
                "iam:PutRolePermissionsBoundary",
                "ec2:CreateVpc",
                "iam:DeletePolicy",
                "iam:DeleteRolePermissionsBoundary",
                "iam:ListInstanceProfilesForRole",
                "elasticloadbalancing:RemoveTags",
                "ec2:CreateSecurityGroup",
                "iam:DeleteRolePolicy",
                "iam:CreatePolicyVersion",
                "iam:DeleteInstanceProfile",
                "ec2:AuthorizeSecurityGroupEgress",
                "ec2:ModifyTransitGatewayVpcAttachment",
                "ec2:TerminateInstances",
                "iam:GetInstanceProfile",
                "ec2:DeleteRoute",
                "elasticloadbalancing:DeleteTargetGroup",
                "iam:CreatePolicy",
                "iam:ListPolicyVersions",
                "ec2:ModifyInstanceCreditSpecification",
                "ec2:DeleteSecurityGroup",
                "iam:UpdateRole",
                "ec2:AssociateIamInstanceProfile",
                "iam:DeletePolicyVersion",
                "elasticloadbalancing:ModifyTargetGroup",
                "elasticloadbalancing:DeleteListener"
            ],
            "Resource": [
                "arn:aws:ec2:*:438881987742:subnet/*",
                "arn:aws:ec2:*:438881987742:vpc/*",
                "arn:aws:ec2:*:438881987742:instance/*",
                "arn:aws:ec2:*:438881987742:volume/*",
                "arn:aws:ec2:*:438881987742:internet-gateway/*",
                "arn:aws:ec2:*:438881987742:network-interface/*",
                "arn:aws:ec2:*:438881987742:security-group/*",
                "arn:aws:ec2:*::image/*",
                "arn:aws:ec2:*:438881987742:route-table/*",
                "arn:aws:iam::438881987742:policy/*",
                "arn:aws:iam::438881987742:role/*",
                "arn:aws:iam::438881987742:instance-profile/*",
                "arn:aws:elasticloadbalancing:*:438881987742:listener-rule/app/*/*/*/*",
                "arn:aws:elasticloadbalancing:*:438881987742:listener/app/*/*/*",
                "arn:aws:elasticloadbalancing:*:438881987742:listener/net/*/*/*",
                "arn:aws:elasticloadbalancing:*:438881987742:listener-rule/net/*/*/*/*",
                "arn:aws:elasticloadbalancing:*:438881987742:targetgroup/*/*"
            ]
        },
        {
            "Sid": "VisualEditor3",
            "Effect": "Allow",
            "Action": [
                "elasticloadbalancing:ModifyListener",
                "elasticloadbalancing:RegisterTargets",
                "elasticloadbalancing:CreateTargetGroup",
                "elasticloadbalancing:DeregisterTargets",
                "elasticloadbalancing:DeleteTargetGroup",
                "elasticloadbalancing:ModifyTargetGroupAttributes",
                "elasticloadbalancing:ModifyTargetGroup",
                "elasticloadbalancing:DeleteListener"
            ],
            "Resource": [
                "arn:aws:elasticloadbalancing:*:438881987742:listener-rule/app/*/*/*/*",
                "arn:aws:elasticloadbalancing:*:438881987742:listener/app/*/*/*",
                "arn:aws:elasticloadbalancing:*:438881987742:listener/net/*/*/*",
                "arn:aws:elasticloadbalancing:*:438881987742:listener-rule/net/*/*/*/*",
                "arn:aws:elasticloadbalancing:*:438881987742:targetgroup/*/*"
            ]
        }
    ]
}