Ahana AWS IAM Policies
The Ahana Provisioning Role uses these AWS IAM policies to define only the permissions required to allow Ahana to orchestrate and deploy the needed resources in your AWS account.
Core Infrastructure AWS Policy
note
The Core Infrastructure AWS Policy is required only during creation or destruction of the Compute Plane, and can be detached from the Role. See Detached Core AWS Infrastructure Policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EC2AllowedPermissionsList",
"Action": [
"ec2:AllocateAddress",
"ec2:AssociateRouteTable",
"ec2:AttachInternetGateway",
"ec2:CreateInternetGateway",
"ec2:CreateNatGateway",
"ec2:CreateRoute",
"ec2:CreateRouteTable",
"ec2:CreateSecurityGroup",
"ec2:CreateSubnet",
"ec2:CreateVpc",
"ec2:CreateVpcEndpoint",
"ec2:DeleteVpcEndpoints",
"ec2:ModifySubnetAttribute",
"ec2:ModifyVpcAttribute",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Sid": "EC2AllowedPermissionsListForAhanaResourcesOnly",
"Condition": {
"StringEquals": {
"aws:ResourceTag/ahana:saasowner": "Ahana"
}
},
"Action": [
"ec2:Delete*",
"ec2:Detach*",
"ec2:Disassociate*",
"ec2:ReleaseAddress",
"ec2:TerminateInstances"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Sid": "ACMAllowedPermissionsList",
"Action": [
"ACM:AddTagsToCertificate",
"ACM:DescribeCertificate",
"ACM:ListCertificates",
"ACM:RequestCertificate"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Sid": "ACMAllowedPermissionsListForAhanaResourcesOnly",
"Condition": {
"StringEquals": {
"aws:ResourceTag/ahana:saasowner": "Ahana"
}
},
"Action": ["ACM:DeleteCertificate"],
"Resource": "*",
"Effect": "Allow"
},
{
"Sid": "EKSAllowedPermissionsListForAhanaResourcesOnly",
"Effect": "Allow",
"Action": [
"eks:AccessKubernetesApi",
"eks:AssociateEncryptionConfig",
"eks:AssociateIdentityProviderConfig",
"eks:CreateAddon",
"eks:DeleteAddon",
"eks:DeleteCluster",
"eks:DeregisterCluster",
"eks:DescribeAddon",
"eks:DescribeIdentityProviderConfig",
"eks:DescribeUpdate",
"eks:DisassociateIdentityProviderConfig",
"eks:ListAddons",
"eks:ListIdentityProviderConfigs",
"eks:ListNodegroups",
"eks:ListTagsForResource",
"eks:ListUpdates",
"eks:UntagResource",
"eks:UpdateAddon",
"eks:UpdateClusterConfig",
"eks:UpdateClusterVersion",
"eks:UpdateNodegroupConfig",
"eks:UpdateNodegroupVersion"
],
"Resource": [
"arn:aws:eks:*:*:addon/ahana-eks-cluster/*/*",
"arn:aws:eks:*:*:cluster/ahana-eks-cluster",
"arn:aws:eks:*:*:identityproviderconfig/ahana-eks-cluster/*/*/*",
"arn:aws:eks:*:*:nodegroup/ahana-eks-cluster/*/*"
]
},
{
"Sid": "EKSAllowedPermissionsList",
"Effect": "Allow",
"Action": [
"eks:CreateCluster",
"eks:DescribeAddonVersions",
"eks:RegisterCluster"
],
"Resource": "*"
}
]
}
Operations AWS Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EC2AllowedPermissionsList",
"Action": [
"ec2:AttachNetworkInterface",
"ec2:AttachVolume",
"ec2:CreateLaunchTemplate",
"ec2:CreateLaunchTemplateVersion",
"ec2:CreateNetworkInterface",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:DeleteLaunchTemplate",
"ec2:Describe*",
"ec2:ModifyLaunchTemplate",
"ec2:RunInstances"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Sid": "EC2AllowedPermissionsListForAhanaResourcesOnly",
"Condition": {
"StringEquals": {
"aws:ResourceTag/ahana:saasowner": "Ahana"
}
},
"Action": [
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:DeleteNetworkInterface",
"ec2:DeleteSecurityGroup",
"ec2:RevokeSecurityGroupEgress"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Sid": "CloudFormationAllowedPermissionsList",
"Action": ["cloudformation:DescribeStacks"],
"Resource": "*",
"Effect": "Allow"
},
{
"Sid": "CloudFormationAllowedPermissionsListForAhanaResourcesOnly",
"Action": [
"cloudformation:CreateStack",
"cloudformation:DeleteStack",
"cloudformation:Describe*",
"cloudformation:Get*"
"cloudformation:List*"
"cloudformation:Update*"
],
"Resource": "arn:aws:cloudformation:*:*:stack/AHANA-*",
"Effect": "Allow"
},
{
"Sid": "IAMAllowedPermissionsList",
"Action": [
"iam:CreateServiceLinkedRole",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:ListInstanceProfiles",
"iam:ListRoles",
"iam:ListRolePolicies",
"iam:ListRoleTags"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Sid": "IAMAllowedPermissionsListForAhanaResourcesOnlyWithPermissionBoundary",
"Condition": {
"StringLike": {
"iam:PermissionsBoundary": "arn:aws:iam::123456789012:policy/ahana-cloud-boundary-policy"
}
},
"Action": [
"iam:AttachRolePolicy",
"iam:CreateRole",
"iam:CreatePolicy",
"iam:PutRolePolicy"
],
"Resource": [
"arn:aws:iam::*:role/AHANA-*",
"arn:aws:iam::*:instance-profile/AHANA-*",
"arn:aws:iam::*:policy/ahana-eks-cluster-*",
"arn:aws:iam::*:policy/ahana-generic-node-*",
"arn:aws:iam::*:policy/ahana-presto-cluster-node-*"
],
"Effect": "Allow"
},
{
"Sid": "IAMPassRolePermissionForAhanaResourcesOnly",
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"lambda.amazonaws.com",
"eks.amazonaws.com"
]
}
},
"Action": ["iam:PassRole"],
"Resource": "arn:aws:iam::*:role/AHANA-*",
"Effect": "Allow"
},
{
"Sid": "IAMAllowedPermissionsListForAhanaResourcesOnly",
"Action": [
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy"
"iam:Tag"
],
"Resource": [
"arn:aws:iam::*:role/AHANA-*",
"arn:aws:iam::*:instance-profile/AHANA-*",
"arn:aws:iam::*:policy/ahana-eks-cluster-*",
"arn:aws:iam::*:policy/ahana-generic-node-*",
"arn:aws:iam::*:policy/ahana-presto-cluster-node-*"
],
"Effect": "Allow"
},
{
"Sid": "S3AllowedPermissionsListForAhanaResourcesOnly",
"Action": [
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:DeleteObject",
"s3:Get*",
"s3:List*",
"s3:PutBucketTagging",
"s3:PutLifecycleConfiguration"
],
"Resource": "arn:aws:s3:::ahana-*",
"Effect": "Allow"
},
{
"Sid": "EKSAllowedPermissionsList",
"Action": [
"eks:ListClusters",
"eks:ListUpdates"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Sid": "EKSAllowedPermissionsListForAhanaResourcesOnly",
"Action": [
"eks:CreateNodegroup",
"eks:DeleteNodegroup",
"eks:DescribeCluster",
"eks:DescribeNodegroup",
"eks:TagResource"
],
"Resource": [
"arn:aws:eks:*:*:cluster/ahana-eks-cluster",
"arn:aws:eks:*:*:nodegroup/ahana-eks-cluster/*/*"
"arn:aws:eks:*:*:addon/ahana-eks-cluster/*/*"
],
"Effect": "Allow"
},
{
"Sid": "AutoScalingAllowedPermissionsList",
"Action": ["autoscaling:DescribeAutoScalingGroups"],
"Resource": "*",
"Effect": "Allow"
},
{
"Sid": "AutoScalingAllowedPermissionsListForAhanaResourcesOnly",
"Condition": {
"StringEquals": {
"aws:ResourceTag/eks:cluster-name": "ahana-eks-cluster"
}
},
"Action": ["autoscaling:UpdateAutoScalingGroup"],
"Resource": "*",
"Effect": "Allow"
},
{
"Sid": "LambdaAllowedPermissionsListForAhanaResourcesOnly",
"Action": ["lambda:*"],
"Resource": [
"arn:aws:lambda:*:*:layer:ahana-*",
"arn:aws:lambda:*:*:function:ahana-*"
],
"Effect": "Allow"
},
{
"Sid": "ELBAllowedPermissionsList",
"Action": ["elasticloadbalancing:DescribeLoadBalancers"],
"Resource": "*",
"Effect": "Allow"
},
{
"Sid": "S3AllowedPermissionsListForAhanaCFBucket",
"Action": ["s3:Get*", "s3:List*"],
"Resource": "arn:aws:s3:::*ahana-cloudformation-lambda-*",
"Effect": "Allow"
}
]
}
Permission Boundary AWS Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "NonIAMBoundary",
"Action": [
"autoscaling:*",
"ec2:*",
"ec2messages:*",
"ecr:Batch*",
"ecr:Describe*",
"ecr:Get*",
"ecr:List*",
"eks:*",
"elasticloadbalancing:*",
"events:*",
"lambda:AddPermission",
"lambda:RemovePermission",
"logs:*",
"s3:*",
"s3-object-lambda:Get*",
"s3-object-lambda:List*",
"ssm:*",
"ssmmessages:*",
"sts:AssumeRole",
"sts:TagSession"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Sid": "IAMPassRoleBoundary",
"Condition": {
"StringEquals": {
"iam:PassedToService": ["eks.amazonaws.com"]
}
},
"Action": ["iam:PassRole"],
"Resource": "arn:aws:iam::*:role/AHANA-*",
"Effect": "Allow"
},
{
"Sid": "EC2DenyBoundary",
"Condition": {
"StringNotEquals": {
"aws:ResourceTag/ahana:saasowner": "Ahana",
"aws:ResourceTag/kubernetes.io/cluster/ahana-eks-cluster": "owned"
}
},
"Action": [
"ec2:Delete*",
"ec2:Detach*",
"ec2:Disassociate*",
"ec2:ReleaseAddress",
"ec2:RevokeSecurityGroupEgress",
"ec2:TerminateInstances"
],
"Resource": "*",
"Effect": "Deny"
}
]
}
View the AWS Policies in Ahana
To view these policies in Ahana:
- Log in to Ahana.
- In the upper right, select the account name, then select Account Settings.
- In IAM Policy Settings, select View Policy for the policy.
