AWS restricted policies

Customers with strict security policies beyond what the default Cloudera cross-account policy permits can enable DataFlow for a CDP environment with more restricted IAM policies. To do so, an administrator must attach the Compute Restricted IAM policy with the cross-account role associated with the CDP environment.

DataFlow uses AWS IAM write permissions to create/delete Roles and Instance Profiles. If due to security requirements you cannot provide IAM write permission in the role’s policy, you can set up static pre-created roles and an instance profile. DataFlow makes use of these static pre-created roles and instance-profile while provisioning the cluster.

To enable DataFlow with restricted IAM policies, perform the following tasks:
  1. Create the IAM Roles and Instance Profile pair.
  2. Create the CDP cross-account role credential.