AWS restricted policies

Customers with strict security policies beyond what the default Cloudera cross-account policy permits can enable Cloudera Data Flow for a Cloudera environment with more restricted IAM policies. To do so, an administrator must attach the Compute Restricted IAM policy with the cross-account role associated with the Cloudera environment.

Cloudera Data Flow uses AWS IAM write permissions to create/delete Roles and Instance Profiles. If due to security requirements you cannot provide IAM write permission in the role’s policy, you can set up static pre-created roles and an instance profile. Cloudera Data Flow makes use of these static pre-created roles and instance-profile while provisioning the cluster.