AWS restricted policies
To enable the CDE experience after the environment has been created, the Administrator needs to attach the Compute (Liftie) Restricted IAM policy and the CDE restricted IAM policy with the cross-account role associated with the Environment.
Compute (Liftie) Restricted IAM policy
Replace the following placeholders in the JSON file:
- [YOUR-ACCOUNT-ID] with your account ID in use.
- [YOUR-IAM-ROLE-NAME] with the IAM restricted role associated with this policy.
- [YOUR-SUBNET-ARN-*] supplied during the Cloudbreak Environment(s) creation. Note: Please provide all the subnets present in all the Cloudbreak Environment(s) that you intend to use it for the experience. If at any point a new Cloudbreak Environment is created or an existing one is updated for subnets, the same should be updated here.
- [YOUR-IDBROKER-ROLE-NAME] with the ID Broker Role name in use.
- [YOUR-LOG-ROLE-NAME] with the Log Role name in use.
- [YOUR-KMS-CUSTOMER-MANAGED-KEY-ARN] with KMS key ARN.
{
"Version": "2012-10-17",
"Id": "ComputePolicy_v6",
"Statement": [
{
"Sid": "SimulatePrincipalPolicy",
"Effect": "Allow",
"Action": [
"iam:SimulatePrincipalPolicy"
],
"Resource": [
"arn:aws:iam::[YOUR-ACCOUNT-ID]:role/[YOUR-IAM-ROLE-NAME]"
]
},
{
"Sid": "RestrictedPermissionsViaClouderaRequestTag",
"Effect": "Allow",
"Action": [
"cloudformation:CreateStack",
"cloudformation:CreateChangeSet",
"ec2:createTags",
"eks:TagResource"
],
"Resource": "*",
"Condition": {
"StringLike": {
"aws:RequestTag/Cloudera-Resource-Name": [
"crn:cdp:*"
]
}
}
},
{
"Sid": "RestrictedPermissionsViaClouderaResourceTag",
"Effect": "Allow",
"Action": [
"autoscaling:DetachInstances",
"autoscaling:ResumeProcesses",
"autoscaling:SetDesiredCapacity",
"autoscaling:SuspendProcesses",
"autoscaling:UpdateAutoScalingGroup",
"autoscaling:DeleteTags",
"autoscaling:TerminateInstanceInAutoScalingGroup",
"cloudformation:DeleteStack",
"cloudformation:DescribeStacks"
],
"Resource": "*",
"Condition": {
"StringLike": {
"aws:ResourceTag/Cloudera-Resource-Name": [
"crn:cdp:*"
]
}
}
},
{
"Sid": "RestrictedPermissionsViaCloudFormation",
"Effect": "Allow",
"Action": [
"ec2:CreateSecurityGroup",
"ec2:DeleteSecurityGroup",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:RevokeSecurityGroupEgress",
"ec2:CreateLaunchTemplate",
"ec2:DeleteLaunchTemplate",
"autoscaling:CreateAutoScalingGroup",
"autoscaling:DeleteAutoScalingGroup",
"autoscaling:CreateOrUpdateTags",
"autoscaling:CreateLaunchConfiguration",
"eks:CreateCluster",
"eks:DeleteCluster"
],
"Resource": "*",
"Condition": {
"ForAnyValue:StringEquals": {
"aws:CalledVia": [
"cloudformation.amazonaws.com"
]
}
}
},
{
"Sid": "RestrictedEC2PermissionsViaClouderaResourceTag",
"Effect": "Allow",
"Action": [
"ec2:RebootInstances",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances"
],
"Resource": [
"*"
],
"Condition": {
"ForAnyValue:StringLike": {
"ec2:ResourceTag/Cloudera-Resource-Name": [
"crn:cdp:*"
]
}
}
},
{
"Sid": "RestrictedIamPermissionsToClouderaResources",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::[YOUR-ACCOUNT-ID]:role/[YOUR-IDBROKER-ROLE-NAME]",
"arn:aws:iam::[YOUR-ACCOUNT-ID]:role/[YOUR-LOG-ROLE-NAME]",
"arn:aws:iam::[YOUR-ACCOUNT-ID]:role/liftie-*-eks-service-role",
"arn:aws:iam::[YOUR-ACCOUNT-ID]:role/liftie-*-eks-worker-nodes",
"arn:aws:iam::[YOUR-ACCOUNT-ID]:role/cdp-eks-master-role",
"arn:aws:iam::[YOUR-ACCOUNT-ID]:role/cdp-liftie-instance-profile"
]
},
{
"Sid": "RestrictedKMSPermissionsUsingCustomerProvidedKey",
"Effect": "Allow",
"Action": [
"kms:CreateGrant",
"kms:DescribeKey",
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*"
],
"Resource": [
"[YOUR-KMS-CUSTOMER-MANAGED-KEY-ARN]"
]
},
{
"Sid": "OtherPermissionsViaCloudFormation",
"Effect": "Allow",
"Action": [
"autoscaling:DescribeScheduledActions",
"autoscaling:DescribeTags",
"autoscaling:DescribeAutoScalingInstances",
"autoscaling:DescribeLaunchConfigurations",
"autoscaling:DeleteLaunchConfiguration",
"autoscaling:DescribeScalingActivities",
"dynamodb:DescribeTable",
"ec2:DeletePlacementGroup",
"ec2:DescribeAccountAttributes",
"ec2:DescribeImages",
"ec2:DescribeInstanceStatus",
"ec2:DescribeInstances",
"ec2:DescribeKeyPairs",
"ec2:DescribeLaunchTemplateVersions",
"ec2:DescribeLaunchTemplates",
"ec2:DescribePlacementGroups",
"ec2:DescribeRegions",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroups",
"ec2:DescribeVolumes"
],
"Resource": [
"*"
],
"Condition": {
"ForAnyValue:StringEquals": {
"aws:CalledVia": [
"cloudformation.amazonaws.com"
]
}
}
},
{
"Sid": "OtherPermissionsViaClouderaResourceTag",
"Effect": "Allow",
"Action": [
"cloudformation:DescribeChangeSet",
"cloudformation:DeleteChangeSet",
"cloudformation:ExecuteChangeSet",
"cloudformation:CancelUpdateStack",
"cloudformation:ContinueUpdateRollback",
"cloudformation:DescribeStackEvents",
"cloudformation:DescribeStackResource",
"cloudformation:DescribeStackResources",
"cloudwatch:deleteAlarms",
"cloudwatch:putMetricAlarm",
"ec2:AttachVolume",
"ec2:CreateNetworkInterface",
"ec2:CreateVolume",
"ec2:DeleteVolume",
"ec2:ModifyInstanceAttribute",
"ec2:RunInstances",
"eks:ListUpdates",
"eks:UpdateClusterConfig",
"eks:UpdateClusterVersion",
"eks:DescribeUpdate",
"iam:GetRolePolicy",
"iam:ListInstanceProfiles",
"iam:ListRoleTags",
"iam:RemoveRoleFromInstanceProfile",
"iam:TagRole",
"iam:UntagRole"
],
"Resource": [
"*"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/Cloudera-Resource-Name": [
"crn:cdp:*"
]
}
}
},
{
"Sid": "OtherPermissions",
"Effect": "Allow",
"Action": [
"autoscaling:DescribeAutoScalingGroups",
"ec2:CreateLaunchTemplateVersion",
"ec2:CreatePlacementGroup",
"ec2:DeleteKeyPair",
"ec2:DeleteNetworkInterface",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeInstanceTypes",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeSubnets",
"ec2:DescribeVpcAttribute",
"ec2:DescribeVpcs",
"ec2:ImportKeyPair",
"eks:DescribeCluster",
"elasticloadbalancing:DescribeLoadBalancers",
"iam:GetRole",
"iam:ListRoles",
"iam:GetInstanceProfile",
"ssm:GetParameters"
],
"Resource": [
"*"
]
},
{
"Sid": "CfDeny",
"Effect": "Deny",
"Action": [
"cloudformation:*"
],
"Resource": [
"*"
],
"Condition": {
"ForAnyValue:StringLike": {
"cloudformation:ImportResourceTypes": [
"*"
]
}
}
},
{
"Sid": "ForAutoscalingLinkedRole",
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole"
],
"Resource": [
"arn:aws:iam::[YOUR-ACCOUNT-ID]:role/aws-service-role/autoscaling-plans.amazonaws.com/AWSServiceRoleForAutoScalingPlans_EC2AutoScaling"
],
"Condition": {
"StringLike": {
"iam:AWSServiceName": "autoscaling-plans.amazonaws.com"
}
}
},
{
"Sid": "ForEksLinkedRole",
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole"
],
"Resource": [
"arn:aws:iam::[YOUR-ACCOUNT-ID]:role/aws-service-role/eks.amazonaws.com/AWSServiceRoleForEKS"
],
"Condition": {
"StringLike": {
"iam:AWSServiceName": "eks.amazonaws.com"
}
}
}
]
} CDE restricted IAM policy
{
"Statement": [
{
"Sid": "ElasticFileSystem",
"Action": [
"elasticfilesystem:*"
],
"Effect": "Allow",
"Resource": [
"*"
]
},
{
"Sid": "CloudWatch",
"Action": [
"cloudwatch:GetMetricData"
],
"Effect": "Allow",
"Resource": [
"*"
]
},
{
"Sid": "ElasticLoadBalancing",
"Action": [
"elasticloadbalancing:*"
],
"Effect": "Allow",
"Resource": [
"*"
]
},
{
"Sid": "RelationalDatabaseService",
"Action": [
"rds:*"
],
"Effect": "Allow",
"Resource": [
"*"
]
}
],
"Version": "2012-10-17"
}