Cloudera Docs

AWS IAM requirements (VPC option only)

You must have AWS admin privileges to create Cloudera Private Links Network with VPC option. You need to have the ability to update the cross-account access IAM role to include the policy required for private links.

Cloudera documents two types of policies: the default policy and the minimum access policies. If you are using the former, you do not need to do anything. If you are using the latter, add the following additional policy that will allow the creation of private links:
{
    "Sid": "ElasticComputeCloudFull",
    "Action": [
        "ec2:*"
        ],
    "Effect": "Allow",
    "Resource": [
        "*"
    ]
},
{
    "Sid": "IdentityAccessManagementFull",
    "Action": [
        "iam:AttachRolePolicy",
        "iam:CreateInstanceProfile",
        "iam:CreateRole",
        "iam:DeleteInstanceProfile",
        "iam:DeleteRole",
        "iam:ListRolePolicies",
        "iam:GetInstanceProfile",
        "iam:GetRolePolicy",
        "iam:ListAttachedRolePolicies",
        "iam:ListInstanceProfiles",
        "iam:PutRolePolicy",
        "iam:PassRole",
        "iam:GetRole",
        "iam:AddRoleToInstanceProfile",
        "iam:RemoveRoleFromInstanceProfile",
        "iam:DetachRolePolicy",
        "iam:DeleteRolePolicy",
        "iam:SimulatePrincipalPolicy",
        "iam:ListRoles"
    ],
    "Effect": "Allow",
    "Resource": [
"*"
    ]
},
{
    "Sid": "IdentityAccessManagementLimited",
    "Action": [
        "iam:CreateServiceLinkedRole"
    ],
    "Effect": "Allow",
    "Resource": [
        "arn:aws:iam::*:role/aws-service-role/*"
    ]
}

        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:ModifyVpcEndpointServicePermissions",
                "ec2:ModifyVpcEndpointServiceConfiguration",
                "ec2:CreateVpcEndpointConnectionNotification",
                "ec2:DeleteVpcEndpoints",
                "ec2:CreateTags",
                "ec2:ModifySecurityGroupRules",
                "ec2:DescribeVpcEndpointServices",
                "ec2:DescribeVpcEndpointServiceConfigurations",
                "ec2:DeleteVpcEndpointServiceConfigurations",
                "ec2:ModifyVpcEndpointConnectionNotification",
                "ec2:DescribeSecurityGroups",
                "ec2:CreateVpcEndpointServiceConfiguration",
                "ec2:DescribeVpcEndpointServicePermissions",
                "ec2:CreateVpcEndpoint",
                "ec2:DescribeVpcs",
                "ec2:CreateSecurityGroup",
                "ec2:DeleteSecurityGroup",
                "route53:AssociateVPCWithHostedZone",
                "ec2:DescribeVpcEndpoints",
                "ec2:ModifyVpcEndpoint"
            ],
            "Resource": "*"
        }
    ]
}
This is only required for the Cloudera Private Links Network setup. Once Cloudera Private Links Network is created, you can revert back to the minimum access policy.