Standard required IAM permissions for activating AWS environments

Review the list of IAM permissions required for activating Cloudera Data Warehouse (CDW) environments where CDW automatically creates and tags all of the resources in your AWS account for you.

The following list of permissions are required in your IAM policy for standard deployments of CDW where all AWS cloud resources are automatically created for you in your AWS account:

Table 1. Standard IAM policy permissions required for environment activation in CDW
AWS service "Allow" actions
Certificate Manager (acm) AddTagsToCertificate
DeleteCertificate
DescribeCertificate
ListCertificates
RequestCertificate
CloudFormation (cloudformation) CreateStack
DeleteStack
DescribeStackEvents
DescribeStacks
UpdateStack
CloudWatch (logs) PutRetentionPolicy
DynamoDB (dynamodb) DeleteTable
EC2 (ec2) AuthorizeSecurityGroupEgress
AuthorizeSecurityGroupIngress
CreateKeyPair
CreateLaunchTemplate
CreatePlacementGroup
CreateSecurityGroup
CreateTags
DeleteKeyPair
DeleteLaunchTemplate
DeletePlacementGroup
DeleteSecurityGroup
DescribeAccountAttributes
DescribeAvailabilityZones
DescribeDhcpOptions
DescribeKeyPairs
DescribeLaunchTemplates
DescribeLaunchTemplatesVersions
DescribePlacementGroups
DescribeRouteTables
DescribeSecurityGroups
DescribeSubNets
DescribeVpcAttribute
DescribeVpcs
RevokeSecurityGroupEgress
RevokeSecurityGroupIngress
RunInstances
EC2 Auto Scaling (autoscaling) CreateAutoScalingGroup
DescribeAutoScalingGroups
DeleteAutoScalingGroup
DescribeScalingActivities
SuspendProcesses
UpdateAutoScalingGroup
EFS (elasticfilesystem) CreateFileSystem
CreateMountTarget
DeleteFileSystem
DeleteMountTarget
DescribeFileSystems
DescribeMountTargets
EKS (eks) CreateCluster
DeleteCluster
DescribeCluster
DescribeUpdate
TagResource
UpdateClusterConfig
UpdateClusterVersion
IAM (iam) AddRoleToInstanceProfile
AttachRolePolicy
CreateInstanceProfile
CreateRole
DeleteInstanceProfile
DeleteRole
DeleteRolePolicy
DetachRolePolicy
GetRole
GetRolePolicy
PassRole
PutRolePolicy
RemoveRoleFromInstanceProfile
SimulatePrincipalPolicy
KMS (kms) CreateAlias
CreateGrant
CreateKey
DeleteAlias
DescribeKey
EnableKeyRotation
GenerateDataKey
GenerateDataKeyWithoutPlaintext
ScheduleKeyDeletion
TagResource
RDS (rds) AddTagsToResource
CreateDBInstance
CreateDBSubnetGroup
DeleteDBInstance
DeleteDBSubnetGroup
DescribeDBInstances
DescribeDBSubnetGroups
S3 (s3) CreateBucket
DeleteBucket
DeleteObject
GetBucketLocation
GetEncryptionConfiguration
GetObject
ListBucket
PutBucketPublicAccessBlock
PutBucketTagging
PutEncryptionConfiguration
PutObjectAcl
PutObject