AWS restricted policies

To enable the CML experience after the environment has been created, the Administrator needs to attach the Compute (Liftie) Restricted IAM policy and the CML restricted IAM policy with the cross-account role associated with the Environment.

Compute (Liftie) Restricted IAM policy

Replace the following placeholders in the JSON file:
  • [YOUR-ACCOUNT-ID] with your account ID in use.
  • [YOUR-IAM-ROLE-NAME] with the IAM restricted role associated with this policy.
  • [YOUR-IDBROKER-ROLE-NAME] with the ID Broker Role name in use.
  • [YOUR-LOG-ROLE-NAME] with the Log Role name in use.
  • [YOUR-KMS-CUSTOMER-MANAGED-KEY-ARN] with KMS key ARN.

{
   "Version":"2012-10-17",
   "Id":"ComputePolicy_v1",
   "Statement":[
      {
         "Sid":"SimulatePrincipalPolicy",
         "Effect":"Allow",
         "Action":[
            "iam:SimulatePrincipalPolicy"
         ],
         "Resource":[
            "arn:aws:iam::[YOUR-ACCOUNT-ID]:role/[YOUR-IAM-ROLE-NAME]"
         ]
      },
      {
         "Sid":"RestrictedPermissionsViaClouderaRequestTag",
         "Effect":"Allow",
         "Action":[
            "cloudformation:CreateStack",
            "cloudformation:CreateChangeSet",
            "ec2:createTags",
            "eks:TagResource"
         ],
         "Resource":"*",
         "Condition":{
            "StringLike":{
               "aws:RequestTag/Cloudera-Resource-Name":[
                  "crn:cdp:*"
               ]
            }
         }
      },
      {
         "Sid":"RestrictedPermissionsViaClouderaResourceTag",
         "Effect":"Allow",
         "Action":[
            "autoscaling:DetachInstances",
            "autoscaling:ResumeProcesses",
            "autoscaling:SetDesiredCapacity",
            "autoscaling:SuspendProcesses",
            "autoscaling:UpdateAutoScalingGroup",
            "autoscaling:DeleteTags",
            "autoscaling:DescribeTags",
            "autoscaling:TerminateInstanceInAutoScalingGroup",
            "autoscaling:DescribeAutoScalingInstances",
            "autoscaling:DescribeLaunchConfigurations",
            "autoscaling:DeleteLaunchConfiguration",
            "cloudformation:DeleteStack",
            "cloudformation:DescribeStacks"
         ],
         "Resource":"*",
         "Condition":{
            "StringLike":{
               "aws:ResourceTag/Cloudera-Resource-Name":[
                  "crn:cdp:*"
               ]
            }
         }
      },
      {
         "Sid":"RestrictedPermissionsViaCloudFormation",
         "Effect":"Allow",
         "Action":[
            "ec2:CreateSecurityGroup",
            "ec2:DeleteSecurityGroup",
            "ec2:AuthorizeSecurityGroupIngress",
            "ec2:RevokeSecurityGroupIngress",
            "ec2:AuthorizeSecurityGroupEgress",
            "ec2:RevokeSecurityGroupEgress",
            "ec2:CreateLaunchTemplate",
            "ec2:DeleteLaunchTemplate",
            "autoscaling:CreateAutoScalingGroup",
            "autoscaling:DeleteAutoScalingGroup",
            "autoscaling:CreateOrUpdateTags",
            "autoscaling:CreateLaunchConfiguration",
            "eks:CreateCluster",
            "eks:DeleteCluster"
         ],
         "Resource":"*",
         "Condition":{
            "ForAnyValue:StringEquals":{
               "aws:CalledVia":[
                  "cloudformation.amazonaws.com"
               ]
            }
         }
      },
      {
         "Sid":"RestrictedEC2PermissionsViaClouderaResourceTag",
         "Effect":"Allow",
         "Action":[
            "ec2:RebootInstances",
            "ec2:StartInstances",
            "ec2:StopInstances",
            "ec2:TerminateInstances"
         ],
         "Resource":[
            "*"
         ],
         "Condition":{
            "ForAnyValue:StringLike":{
               "ec2:ResourceTag/Cloudera-Resource-Name":[
                  "crn:cdp:*"
               ]
            }
         }
      },
      {
         "Sid":"RestrictedIamPermissionsToClouderaResources",
         "Effect":"Allow",
         "Action":[
            "iam:PassRole"
         ],
         "Resource":[
            "arn:aws:iam::[YOUR-ACCOUNT-ID]:role/[YOUR-IDBROKER-ROLE-NAME]",
            "arn:aws:iam::[YOUR-ACCOUNT-ID]:role/[YOUR-LOG-ROLE-NAME]",
            "arn:aws:iam::[YOUR-ACCOUNT-ID]:role/liftie-*-eks-service-role",
            "arn:aws:iam::[YOUR-ACCOUNT-ID]:role/liftie-*-eks-worker-nodes",
            "arn:aws:iam::[YOUR-ACCOUNT-ID]:role/cdp-eks-master-role"
         ]
      },
      {
         "Sid":"RestrictedKMSPermissionsUsingCustomerProvidedKey",
         "Effect":"Allow",
         "Action":[
            "kms:CreateGrant",
            "kms:DescribeKey"
         ],
         "Resource":[
            "[YOUR-KMS-CUSTOMER-MANAGED-KEY-ARN]"
         ]
      },
      {
         "Sid":"OtherPermissions",
         "Effect":"Allow",
         "Action":[
            "autoscaling:DescribeScheduledActions",
            "autoscaling:DescribeAutoScalingGroups",
            "autoscaling:DescribeScalingActivities",
            "cloudformation:DescribeChangeSet",
            "cloudformation:DeleteChangeSet",
            "cloudformation:ExecuteChangeSet",
            "cloudformation:CancelUpdateStack",
            "cloudformation:ContinueUpdateRollback",
            "cloudformation:DescribeStackEvents",
            "cloudformation:DescribeStackResource",
            "cloudformation:DescribeStackResources",
            "cloudwatch:deleteAlarms",
            "cloudwatch:putMetricAlarm",
            "dynamodb:DescribeTable",
            "ec2:AttachVolume",
            "ec2:CreateNetworkInterface",
            "ec2:CreatePlacementGroup",
            "ec2:CreateVolume",
            "ec2:DeleteKeyPair",
            "ec2:DeleteNetworkInterface",
            "ec2:DeletePlacementGroup",
            "ec2:DeleteVolume",
            "ec2:DescribeAccountAttributes",
            "ec2:DescribeAvailabilityZones",
            "ec2:DescribeImages",
            "ec2:DescribeInstanceStatus",
            "ec2:DescribeInstances",
            "ec2:DescribeInstanceTypes",
            "ec2:DescribeKeyPairs",
            "ec2:DescribeLaunchTemplateVersions",
            "ec2:DescribeLaunchTemplates",
            "ec2:DescribeNetworkInterfaces",
            "ec2:DescribePlacementGroups",
            "ec2:DescribeRegions",
            "ec2:DescribeRouteTables",
            "ec2:DescribeSecurityGroups",
            "ec2:DescribeSubnets",
            "ec2:DescribeVolumes",
            "ec2:DescribeVpcAttribute",
            "ec2:DescribeVpcs",
            "ec2:ImportKeyPair",
            "ec2:RunInstances",
            "ec2:ModifyInstanceAttribute",
            "ec2:CreateLaunchTemplateVersion",
            "eks:DescribeCluster",
            "eks:ListUpdates",
            "eks:UpdateClusterConfig",
            "eks:UpdateClusterVersion",
            "eks:DescribeUpdate",
            "elasticloadbalancing:DescribeLoadBalancers",
            "iam:GetRole",
            "iam:ListRoles",
            "iam:GetRolePolicy",
            "iam:GetInstanceProfile",
            "iam:ListInstanceProfiles",
            "iam:ListRoleTags",
            "iam:RemoveRoleFromInstanceProfile",
            "iam:TagRole",
            "iam:UntagRole",
            "iam:PassRole"
         ],
         "Resource":[
            "*"
         ]
      },
      {
         "Sid":"CfDeny",
         "Effect":"Deny",
         "Action":[
            "cloudformation:*"
         ],
         "Resource":[
            "*"
         ],
         "Condition":{
            "ForAnyValue:StringLike":{
               "cloudformation:ImportResourceTypes":[
                  "*"
               ]
            }
         }
      },
      {
         "Sid":"ForAutoscalingLinkedRole",
         "Effect":"Allow",
         "Action":[
            "iam:CreateServiceLinkedRole"
         ],
         "Resource":[
            "arn:aws:iam::[YOUR-ACCOUNT-ID]:role/aws-service-role/autoscaling-plans.amazonaws.com/AWSServiceRoleForAutoScalingPlans_EC2AutoScaling"
         ],
         "Condition":{
            "StringLike":{
               "iam:AWSServiceName":"autoscaling-plans.amazonaws.com"
            }
         }
      },
      {
         "Sid":"ForEksLinkedRole",
         "Effect":"Allow",
         "Action":[
            "iam:CreateServiceLinkedRole"
         ],
         "Resource":[
            "arn:aws:iam::[YOUR-ACCOUNT-ID]:role/aws-service-role/eks.amazonaws.com/AWSServiceRoleForEKS"
         ],
         "Condition":{
            "StringLike":{
               "iam:AWSServiceName":"eks.amazonaws.com"
            }
         }
      }
   ]
} 
   

CML restricted IAM policy

Replace the following placeholders in the JSON file:

  • [YOUR-ACCOUNT-ID] with your account ID in use.
  • [YOUR-IAM-ROLE-NAME] with the IAM restricted role with which this policy would be associated with.

{
    "Version": "2012-10-17",
    "Id": "CMLPolicy_v1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "iam:SimulatePrincipalPolicy",
            "Resource": "arn:aws:iam::[YOUR-ACCOUNT-ID]:role/[YOUR-IAM-ROLE-NAME]"
        },
        {
            "Sid": "RestrictedPermissionsViaClouderaRequestTag",
            "Effect": "Allow",
            "Action":[
                "elasticfilesystem:CreateFileSystem"
            ],
            "Resource": "*",
            "Condition": {
                "StringLike":{
                    "aws:RequestTag/Cloudera-Resource-Name": "crn:cdp:*"
                }
            }
        },
        {
            "Sid": "OtherPermissions",
            "Effect": "Allow",
            "Action": [
                "elasticfilesystem:DescribeMountTargets",
                "elasticfilesystem:DeleteAccessPoint",
                "elasticfilesystem:CreateMountTarget",
                "elasticfilesystem:DescribeAccessPoints",
                "elasticfilesystem:DescribeFileSystems",
                "elasticfilesystem:DeleteMountTarget",
                "elasticfilesystem:CreateAccessPoint",
                "elasticfilesystem:DeleteFileSystem",
                "elasticfilesystem:DescribeMountTargetSecurityGroups"
            ],
            "Resource": "*"
        },
        {
            "Sid": "ForEFSLinkedRole",
            "Effect": "Allow",
            "Action": [
              "iam:CreateServiceLinkedRole"
            ],
            "Resource": [
              "arn:aws:iam::[YOUR-ACCOUNT-ID]:role/aws-service-role/elasticfilesystem.amazonaws.com/AWSServiceRoleForAmazonElasticFileSystem"
            ],
            "Condition": {
              "StringLike": {
                "iam:AWSServiceName": "elasticfilesystem.amazonaws.com"
              }
            }
          }
    ]
}