Access from CDP to customer resources
CDP creates clusters and runs jobs in your cloud provider account on your behalf.
CDP requires your permission to be able to use the resources required by the clusters and jobs in your cloud provider account. To allow CDP to create clusters or run jobs in your AWS account, your AWS administrator must create a cross-account access IAM role and grant CDP access to the role as a trusted principal. The policy defined for the cross-account access IAM role must include permissions to allow CDP to create and manage instances and to perform the tasks and access the resources required for the CDP clusters and jobs.
Furthermore, CDP requires that your gateway security group has port 9443 open to CDP Management Console CIDR so that the Management Console can communicate with Data Lake clusters and Data Hub clusters.
For more information about credentials and security groups, refer to the following documentation: