Creating AWS Identity and Access Management (IAM) Policies

In AWS, you use IAM files to create policies that control access to resources in a VPC. Use the AWS Policy Generator to create the IAM file, keeping in mind the following requirements:
  • For EC2, Cloudera Director requires permissions for the following methods:
    • CreateTags
    • DescribeAvailabilityZones
    • DescribeImages
    • DescribeInstanceStatus
    • DescribeInstances
    • DescribeKeyPairs
    • DescribePlacementGroups
    • DescribeRegions
    • DescribeSecurityGroups
    • DescribeSubnets
    • RunInstances
    • TerminateInstances
  • To validate the templates used for EC2 instance creation, Cloudera Director requires permissions for the following IAM methods:
    • GetInstanceProfile
    • PassRole
  • To create RDS database servers for persistence on demand, Cloudera Director requires permissions for the following methods:
    • CreateDBInstance
    • DeleteDBInstance
    • DescribeDBInstances
  • With Cloudera Director 1.5 and higher, Cloudera Director requires permissions for the following method:
    • DescribeDBSecurityGroups

    This permission is required because, beginning with version 1.5, Cloudera Director includes early validation of RDS credentials at the time of creating or updating an environment, whether or not RDS database servers will be used.

Example IAM Policy

The following example IAM policy shows the format to use with Cloudera Director. Your Amazon Resource Name (ARN) will be different.
{
  "Statement": [
    {
      "Sid": "directorEc2",
      "Effect": "Allow",
      "Action": [
        "ec2:CreateTags",
        "ec2:DescribeAvailabilityZones",
        "ec2:DescribeImages",
        "ec2:DescribeInstanceStatus",
        "ec2:DescribeInstances",
        "ec2:DescribeKeyPairs",
        "ec2:DescribePlacementGroups",
        "ec2:DescribeRegions",
        "ec2:DescribeSecurityGroups",
        "ec2:DescribeSubnets",
        "ec2:RunInstances",
        "ec2:TerminateInstances"
      ],
      "Resource": "*"
    },
    {
      "Sid": "directorIam",
      "Effect": "Allow",
      "Action": [
        "iam:GetInstanceProfile",
        "iam:PassRole"
      ],
      "Resource": "*"
    },
    {
      "Sid": "directorRds",
      "Effect": "Allow",
      "Action": [
        "rds:CreateDBInstance",
        "rds:DeleteDBInstance",
        "rds:DescribeDBInstances",
        "rds:DescribeDBSecurityGroups"
      ],
      "Resource": "*"
    },
    {
      "Sid": "directorSts",
      "Action": [
        "sts:DecodeAuthorizationMessage"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}