Minimum set of IAM permissions required for reduced permissions mode

Review a list of the minimum IAM permissions required to activate AWS environments for Cloudera Data Warehouse (CDW) in reduced permissions mode.

The following is a list of the minimum permissions that are required for your IAM policy to activate environments for CDW in reduced permissions mode. In this mode you must manually create your CloudFormation stack from a template that CDW pre-populates in the AWS console for you. When you are finished using the stack, you must manually delete its resources in your AWS account.

Table 1. Minimum set of IAM policy permissions required for environment activation in CDW in reduced permissions mode
AWS service "Allow" actions Description
Certificate Manager (acm) DescribeCertificate Created by Cloud Formation to check the certification status during activation.
ListCertificates ACM validation adds DNS records.
CloudFormation (cloudformation) DescribeStackEvents Get Cloud Formation stack events, identify cause of failed CF stack creation failure
DescribeStacks Check the status of stack--error or completed, then install helm charts
UpdateStack Update Custom AMI, upgrade EKS
CloudWatch (logs) CreateLogGroup Create/name cloudwatch log group
CreateLogStream Create log stream of log group that originates from monitored application or resource
DescribeLogStreams List log streams for log groups
PutLogEvents Upload log events to log stream
PutRetentionPolicy Change number of days Cloudwatch retains
EC2 (ec2) CreateKeyPair

Create ssh Public key pair, pass to ec2 instances. Not required if passed/set/reused via CloudBreak

CreateTags Tag subnets and eks security group. Amazon EKS security group requirements and considerations
DeleteKeyPair Delete keypair while deactivating CDW // needed if CB env ssh is not reused
DeleteTags
DescribeDhcpOptions See points 2-3 in AWS Requirements Checklist
DescribeKeyPairs Validate CloudBreak env ssh key pair exists, not deleted inbetween; check for duplicate keypair in case of CDW created keypair
DescribeRouteTables
DescribeSubNets See Point 4 in AWS Requirements Checklist
DescribeVpcAttribute Validate enableDnsHostnames and enableDnsSupport VPC attributes; see 1 and 3 points in Footnote 3 URL
DescribeVpcs Validate ID of set of DHCP options associated with the VPC
EC2 Auto Scaling (autoscaling) DescribeAutoScalingGroups Get shared services/compute ASGs, update as part of AZRebalance
SuspendProcesses Suspend AZRebalance for autoscaling group; include AZRebalance; cannot suspend AZRebalance in cloudformation; edit/update ASGs with AWS API to avoid AWS re-balancing nodes for AZ (most nodes run in stateful/critical pods)
UpdateAutoScalingGroup Calico overlaynetwork option requires no EKS nodes up on installation; with CF stack creation 3 nodes start up, autoscaling group updates desired capacity to Zero via AWS API; need latest SSH key from CloudBreak for EKS node updates; new Launch template passes SSH key and updates in ASG
EKS (eks) DescribeCluster Calico overlaynetwork option requires no EKS nodes up on installation; with CF stack creation 3 nodes start up, autoscaling group updates desired capacity to Zero via AWS API; need latest SSH key from CloudBreak for EKS node updates; new Launch template passes SSH key and updates in ASG
DescribeUpdate Check status of Updates--enable Private EKS and Cloudwatch on EKS
TagResource Tag eks cluster, e.g.: clusterId, envId, clustername, accountId...
UpdateClusterConfig Update EKScluster config Enable Private EKS and Cloudwatch on EKS
UpdateClusterVersion Updates an Amazon EKS cluster to the specified Kubernetes version
IAM (iam) DeleteRolePolicy
GetRolePolicy Delete inline policies like efs, ebs, cluster-autoscaler etc created/attached to Node instance role at deactivation
ListAttachedRolePolicies* List policies attached to Ranger RAZ role; attach to NodeInstanceRole for S3 access if RAZ enabled
PutRolePolicy Add inline policies like efs, ebs, cluster-autoscaler to Node Instance Role
SimulatePrincipalPolicy Simulate Cloud Formation stack formation policies
RDS (rds) StartDBInstance
StopDBInstance
DescribeDBInstances
S3 (s3) GetBucketLocation Needed for external bucket feature via UI, where we validate the VPC and bucket region are the same
GetObject Get Cloud Formatoin template while CF stack creation may not be needed for reduced mode
ListBucket
PutObjectAcl
PutObject Put Cloud Formation template in SDX bucket

*Needed only in a Ranger Authorization (RAZ) environment.