AWS restricted permissions policy

As Administrator, to restrict access to your Cloudera Data Warehouse service, your IAM role must include the AWS restricted policy. You must add the policy to your IAM role before you activate the environment in Cloudera Data Warehouse to make the service available to users.

The AWS restricted policy associates a cross-account role with the environment. In the AWS management console, find the IAM role you created, and attach the following restricted policy:

{
	"Version": "2012-10-17",
	"Statement": [{
			"Sid": "ResourceTag",
			"Effect": "Allow",
			"Action": [
				"acm:DeleteCertificate",
				"autoscaling:DeleteAutoScalingGroup",
				"autoscaling:SuspendProcesses",
				"autoscaling:UpdateAutoScalingGroup",
				"cloudformation:DeleteStack",
				"cloudformation:DescribeStackEvents",
				"ec2:DeleteSecurityGroup",
				"eks:DeleteCluster",
				"rds:DeleteDBInstance",
				"rds:DeleteDBSecurityGroup",
				"rds:DeleteDBSubnetGroup"
			],
			"Resource": "*",
			"Condition": {
				"StringLike": {
					"aws:ResourceTag/Cloudera-Resource-Name": "crn:cdp:*"
				}
			}
		},
		{
			"Sid": "RequestTag",
			"Effect": "Allow",
			"Action": [
				"autoscaling:CreateAutoScalingGroup",
				"cloudformation:CreateStack",
				"eks:TagResource",
				"kms:CreateGrant",
				"kms:CreateKey",
				"rds:AddTagsToResource"
			],
			"Resource": "*",
			"Condition": {
				"StringLike": {
					"aws:RequestTag/Cloudera-Resource-Name": "crn:cdp:*"
				}
			}
		},
		{
			"Sid": "cloudformation",
			"Effect": "Allow",
			"Action": [
				"ec2:AuthorizeSecurityGroupEgress",
				"ec2:AuthorizeSecurityGroupIngress",
				"ec2:CreateLaunchTemplate",
				"ec2:CreatePlacementGroup",
				"ec2:CreateSecurityGroup",
				"ec2:DeletePlacementGroup",
				"ec2:DeleteLaunchTemplate",
				"ec2:RevokeSecurityGroupEgress",
				"ec2:RevokeSecurityGroupIngress",
				"ec2:RunInstances",
				"elasticfilesystem:CreateFileSystem",
				"elasticfilesystem:CreateMountTarget",
				"elasticfilesystem:DeleteFileSystem",
				"elasticfilesystem:DeleteMountTarget",
				"kms:CreateAlias",
				"rds:CreateDBInstance",
				"rds:CreateDBSubnetGroup",
				"rds:DescribeDBInstances",
				"rds:DescribeDBSubnetGroups",
				"acm:AddTagsToCertificate",
				"acm:DescribeCertificate",
				"acm:RequestCertificate",
				"autoscaling:DescribeScalingActivities",
				"ec2:DescribeAccountAttributes",
				"ec2:DescribeAvailabilityZones",
				"ec2:DescribeLaunchTemplates",
				"ec2:DescribeLaunchTemplateVersions",
				"ec2:DescribePlacementGroups",
				"ec2:DescribeSecurityGroups",
				"eks:DescribeCluster",
				"elasticfilesystem:DescribeFileSystems",
				"elasticfilesystem:DescribeMountTargets",
				"kms:DeleteAlias",
				"kms:DescribeKey",
				"kms:EnableKeyRotation",
				"kms:GenerateDataKey",
				"kms:GenerateDataKeyWithoutPlaintext",
				"kms:ScheduleKeyDeletion",
				"kms:TagResource",
				"logs:PutRetentionPolicy",
				"eks:CreateCluster",
				"s3:CreateBucket"
			],
			"Resource": "*",
			"Condition": {
				"ForAnyValue:StringEquals": {
					"aws:CalledVia": "cloudformation.amazonaws.com"
				}
			}
		},
		{
			"Sid": "AttachRole",
			"Effect": "Allow",
			"Action": "iam:AttachRolePolicy",
			"Resource": [
				"arn:aws:iam::*:role/env-*-dwx-stack-EKSServiceRole-*",
				"arn:aws:iam::*:role/env-*-dwx-stack-NodeInstanceRole-*"
			],
			"Condition": {
				"ForAnyValue:ArnEqualsIfExists": {
					"iam:PolicyARN": [
						"arn:aws:iam::aws:policy/AmazonEKSClusterPolicy",
						"arn:aws:iam::aws:policy/AmazonEKSServicePolicy",
						"arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly",
						"arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy",
						"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
					]
				}
			}
		},
		{
			"Sid": "Role",
			"Effect": "Allow",
			"Action": [
				"iam:AddRoleToInstanceProfile",
				"iam:CreateInstanceProfile",
				"iam:CreateRole",
				"iam:DeleteInstanceProfile",
				"iam:DeleteRole",
				"iam:DeleteRolePolicy",
				"iam:DetachRolePolicy",
				"iam:GetRole",
				"iam:GetRolePolicy",
				"iam:PassRole",
				"iam:PutRolePolicy",
				"iam:RemoveRoleFromInstanceProfile"
			],
			"Resource": [
				"arn:aws:iam::*:instance-profile/env-*-dwx-stack-NodeInstanceProfile-*",
				"arn:aws:iam::*:role/env-*-dwx-stack-EKSServiceRole-*",
				"arn:aws:iam::*:role/env-*-dwx-stack-NodeInstanceRole-*"
			]
		},
		{
			"Sid": "gocode",
			"Effect": "Allow",
			"Action": [
				"acm:DescribeCertificate",
				"acm:ListCertificates",
				"cloudformation:DescribeStacks",
				"cloudformation:UpdateStack",
				"ec2:CreateKeyPair",
				"ec2:CreateTags",
				"ec2:DeleteKeyPair",
				"ec2:DescribeKeyPairs",
				"ec2:DescribeDhcpOptions",
				"ec2:DescribeSubnets",
				"ec2:DescribeVpcAttribute",
				"ec2:DescribeVpcs",
				"eks:DescribeUpdate",
				"autoscaling:DescribeAutoScalingGroups",
				"eks:UpdateClusterConfig",
				"eks:UpdateClusterVersion",
				"iam:SimulatePrincipalPolicy"
			],
			"Resource": "*"
		},
		{
			"Sid": "S3full",
			"Effect": "Allow",
			"Action": [
				"s3:DeleteBucket",
				"s3:DeleteObject",
				"s3:GetBucketLocation",
				"s3:GetEncryptionConfiguration",
				"s3:GetObject",
				"s3:ListBucket",
				"s3:PutBucketPublicAccessBlock",
				"s3:PutBucketTagging",
				"s3:PutEncryptionConfiguration",
				"s3:PutObject",
				"s3:PutObjectAcl"
			],
			"Resource": "*"
		},
		{
			"Sid": "UpgradeCfStack",
			"Effect": "Allow",
			"Action": [
				"cloudformation:GetTemplate",
				"cloudformation:GetTemplateSummary",
				"eks:ListUpdates",
				"ec2:CreateLaunchTemplateVersion",
				"autoscaling:TerminateInstanceInAutoScalingGroup",
				"autoscaling:DescribeScheduledActions",
				"autoscaling:SetDesiredCapacity",
				"ec2:DescribeInstances"
			],
			"Resource": "*"
		}
	]
}