Cloudera Docs

AWS restricted policy

As Administrator, to enable the Cloudera Data Warehouse service your IAM role must include a policy that restricts access to the environment. This action is required before you activate the environment in Cloudera Data Warehouse to make the service available to users.

The AWS restricted policy associates a cross-account role with the environment. In the AWS management console, find the IAM role you created, and attach the following restricted policy:

{
	"Version": "2012-10-17",
	"Statement": [{
		"Sid": "ResourceTag",
		"Effect": "Allow",
		"Action": [
			"acm:DeleteCertificate",
			"autoscaling:DeleteAutoScalingGroup",
			"autoscaling:SuspendProcesses",
			"autoscaling:UpdateAutoScalingGroup",
			"cloudformation:DeleteStack",
			"cloudformation:DescribeStackEvents",
			"ec2:DeleteSecurityGroup",
			"eks:DeleteCluster",
			"elasticfilesystem:PutFileSystemPolicy",
			"rds:DeleteDBInstance",
			"rds:DeleteDBSecurityGroup",
			"rds:DeleteDBSubnetGroup"
		],
		"Resource": "*",
		"Condition": {
			"StringLike": {
				"aws:ResourceTag/Cloudera-Resource-Name": "crn:cdp:*"
			}
		}
	},
	{
		"Sid": "RequestTag",
		"Effect": "Allow",
		"Action": [
			"autoscaling:CreateAutoScalingGroup",
			"cloudformation:CreateStack",
			"eks:TagResource",
			"elasticfilesystem:CreateFileSystem",
			"kms:CreateGrant",
			"kms:CreateKey",
			"rds:AddTagsToResource"
		],
		"Resource": "*",
		"Condition": {
			"StringLike": {
				"aws:RequestTag/Cloudera-Resource-Name": "crn:cdp:*"
			}
		}
	},
	{
		"Sid": "cloudformation",
		"Effect": "Allow",
		"Action": [
			"ec2:AuthorizeSecurityGroupEgress",
			"ec2:AuthorizeSecurityGroupIngress",
			"ec2:CreateLaunchTemplate",
			"ec2:CreatePlacementGroup",
			"ec2:CreateSecurityGroup",
			"ec2:DeletePlacementGroup",
			"ec2:DeleteLaunchTemplate",
			"ec2:RevokeSecurityGroupEgress",
			"ec2:RevokeSecurityGroupIngress",
			"ec2:RunInstances",
			"elasticfilesystem:CreateMountTarget",
			"elasticfilesystem:DeleteFileSystem",
			"elasticfilesystem:DeleteMountTarget",
			"kms:CreateAlias",
			"rds:CreateDBInstance",
			"rds:CreateDBSubnetGroup",
			"rds:DescribeDBInstances",
			"rds:DescribeDBSubnetGroups",
			"acm:AddTagsToCertificate",
			"acm:DescribeCertificate",
			"acm:RequestCertificate",
			"autoscaling:DescribeScalingActivities",
			"ec2:DescribeAccountAttributes",
			"ec2:DescribeAvailabilityZones",
			"ec2:DescribeLaunchTemplates",
			"ec2:DescribeLaunchTemplateVersions",
			"ec2:DescribePlacementGroups",
			"ec2:DescribeSecurityGroups",
			"eks:DescribeCluster",
			"elasticfilesystem:DescribeFileSystems",
			"elasticfilesystem:DescribeMountTargets",
			"kms:DeleteAlias",
			"kms:DescribeKey",
			"kms:EnableKeyRotation",
			"kms:GenerateDataKey",
			"kms:GenerateDataKeyWithoutPlaintext",
			"kms:ScheduleKeyDeletion",
			"kms:TagResource",
			"logs:CreateLogGroup"
			"logs:CreateLogStream",
			"logs:DescribeLogStreams",
			"logs:PutLogEvents",
			"logs:PutRetentionPolicy",
			"eks:CreateCluster"
		],
		"Resource": "*",
		"Condition": {
			"ForAnyValue:StringEquals": {
				"aws:CalledVia": "cloudformation.amazonaws.com"
			}
		}
	},
	{
		"Sid": "AttachRole",
		"Effect": "Allow",
		"Action": "iam:AttachRolePolicy",
		"Resource": [
			"arn:aws:iam::*:role/env-*-dwx-stack-EKSServiceRole-*",
			"arn:aws:iam::*:role/env-*-dwx-stack-NodeInstanceRole-*"
		],
		"Condition": {
			"ForAnyValue:ArnEqualsIfExists": {
				"iam:PolicyARN": [
					"arn:aws:iam::aws:policy/AmazonEKSClusterPolicy",
					"arn:aws:iam::aws:policy/AmazonEKSServicePolicy",
					"arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly",
					"arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy",
					"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy",
					"arn:aws:iam::aws:policy/CloudWatchAgentAdminPolicy"
				]
			}
		}
	},
	{
		"Sid": "Role",
		"Effect": "Allow",
		"Action": [
			"iam:AddRoleToInstanceProfile",
			"iam:CreateInstanceProfile",
			"iam:CreateRole",
			"iam:DeleteInstanceProfile",
			"iam:DeleteRole",
			"iam:DeleteRolePolicy",
			"iam:DetachRolePolicy",
			"iam:GetRole",
			"iam:GetRolePolicy",
			"iam:PassRole",
			"iam:PutRolePolicy",
			"iam:RemoveRoleFromInstanceProfile"
		],
		"Resource": [
			"arn:aws:iam::*:instance-profile/env-*-dwx-stack-NodeInstanceProfile-*",
			"arn:aws:iam::*:role/env-*-dwx-stack-EKSServiceRole-*",
			"arn:aws:iam::*:role/env-*-dwx-stack-NodeInstanceRole-*"
		]
	},
	{
		"Sid": "gocode",
		"Effect": "Allow",
		"Action": [
			"acm:DescribeCertificate",
			"acm:ListCertificates",
			"cloudformation:DescribeStacks",
			"cloudformation:UpdateStack",
			"ec2:CreateKeyPair",
			"ec2:CreateTags",
			"ec2:DeleteKeyPair",
			"ec2:DescribeKeyPairs",
			"ec2:DescribeDhcpOptions",
			"ec2:DescribeSubnets",
			"ec2:DescribeVpcAttribute",
			"ec2:DescribeVpcs",
			"eks:DescribeUpdate",
			"autoscaling:DescribeAutoScalingGroups",
			"eks:UpdateClusterConfig",
			"eks:UpdateClusterVersion",
			"iam:ListAttachedRolePolicies",
			"iam:SimulatePrincipalPolicy"
		],
		"Resource": "*"
	},
	{
		"Sid": "S3full",
		"Effect": "Allow",
		"Action": [
			"s3:GetBucketLocation"
		],
		"Resource": "*"
	},
	{
		"Sid": "S3PutGetObject",
		"Effect": "Allow",
		"Action": [
			"s3:PutObject",
			"s3:GetObject"
		],
		"Resource": [
		"arn:aws:s3:::${DATALAKE_BUCKET}/cf-templates/*",
		"arn:aws:s3:::${DATALAKE_BUCKET}/backup/*"
		]
	},
	{
		"Sid": "UpgradeCfStack",
		"Effect": "Allow",
		"Action": [
			"cloudformation:GetTemplate",
			"cloudformation:GetTemplateSummary",
			"eks:ListUpdates",
			"ec2:CreateLaunchTemplateVersion",
			"autoscaling:TerminateInstanceInAutoScalingGroup",
			"autoscaling:DescribeScheduledActions",
			"autoscaling:SetDesiredCapacity",
			"ec2:DescribeInstances"
		],
		"Resource": "*"
	}]
}
  • ${DATALAKE_BUCKET} - Replace this with the name of your S3 bucket. For example my-bucket.