Minimum set of IAM permissions required for reduced permissions mode

Review a list of the minimum IAM permissions required to activate AWS environments for Cloudera Data Warehouse (CDW) in reduced permissions mode.

The following is a list of the minimum permissions that are required for your IAM policy to activate environments for CDW in reduced permissions mode. In this mode you must manually create your CloudFormation stack from a template that CDW pre-populates in the AWS console for you. When you are finished using the stack, you must manually delete its resources in your AWS account.

Table 1. Minimum set of IAM policy permissions required for environment activation in CDW in reduced permissions mode
AWS service "Allow" actions
Certificate Manager (acm) DescribeCertificate
ListCertificates
CloudFormation (cloudformation) DescribeStackEvents
DescribeStacks
UpdateStack
CloudWatch (logs) CreateLogGroup
CreateLogStream
DescribeLogStreams
PutLogEvents
PutRetentionPolicy
EC2 (ec2) CreateKeyPair
CreateTags
DeleteKeyPair
DeleteTags
DescribeDhcpOptions
DescribeKeyPairs
DescribeRouteTables
DescribeSubNets
DescribeVpcAttribute
DescribeVpcs
EC2 Auto Scaling (autoscaling) DescribeAutoScalingGroups
SuspendProcesses
UpdateAutoScalingGroup
EKS (eks) DescribeCluster
DescribeUpdate
TagResource
UpdateClusterConfig
UpdateClusterVersion
IAM (iam) DeleteRolePolicy
GetRolePolicy
ListAttachedRolePolicies*
PutRolePolicy
SimulatePrincipalPolicy
S3 (s3) GetBucketLocation
GetObject
ListBucket
PutObjectAcl
PutObject

*Needed only in a Ranger Authorization (RAZ) environment.