-
Notifications
You must be signed in to change notification settings - Fork 2
/
restricted-policy-doc-1.json5
317 lines (317 loc) · 11.2 KB
/
restricted-policy-doc-1.json5
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ResourceTag",
// Control access to AWS service resources based on
// resource tags using ResourceTag/key-name
// condition key to allow access to resource or not
// based on resource tagging
"Effect": "Allow",
"Action": [
"acm:DeleteCertificate",
// Delete certificate attached to ELB
// created/deleted with cloudformation stack
"autoscaling:SuspendProcesses",
// Suspend AZRebalance for autoscaling group;
// include AZRebalance; cannot suspend
// AZRebalance in cloudformation; edit/update
// ASGs with AWS API to avoid AWS re-balancing
// nodes for AZ (most nodes run in
// stateful/critical pods)
"autoscaling:UpdateAutoScalingGroup",
// Calico overlaynetwork option requires no EKS
// nodes up on installation; with CF stack
// creation 3 nodes start up, autoscaling group
// updates desired capacity to Zero via AWS API;
// need latest SSH key from CloudBreak for EKS
// node updates; new Launch template passes
// SSH key and updates in ASG
"cloudformation:DeleteStack",
// Delete the cf stack created
"cloudformation:DescribeStackEvents",
// Get cf stack events, identify cause of failed
// cf stack creation failure
"elasticfilesystem:PutFileSystemPolicy",
// While creating EFS Filesystem give
// permission to attach FileSystem Policy
// for Client access via MountTarget and
// Encryption In transit
"rds:DeleteDBInstance",
// Delete DB instance used to store
// Metastore/Hive/Impala/Hue query data
"rds:DeleteDBSecurityGroup",
// Delete DB security group created via cf
"rds:DeleteDBSubnetGroup",
// Delete DB Subnet group created via cf
"ec2:DeleteKeypair"
// Delete keypair while deactivating CDW
// needed if CB env ssh is not reused
],
"Resource": "*",
"Condition": {
"StringLike": {
"aws:ResourceTag/Cloudera-Resource-Name": "crn:cdp:*"
}
}
},
{
"Sid": "RequestTag",
"Effect": "Allow",
"Action": [
"autoscaling:CreateAutoScalingGroup",
//Create autoscaling groups for cluster
"cloudformation:CreateStack",
// Activate createstack with
// cloudformation
"eks:TagResource",
// Tag eks cluster, e.g.: clusterId,
// envId, clustername, accountId...
"elasticfilesystem:CreateFileSystem",
// Create efs storage to be used by hive and
// Prometheus
"kms:CreateGrant",
// Use KMS keys in cryptographic
// operations, e.g. in ebs
"kms:CreateKey",
// During activation KMSKey created with cf
"rds:AddTagsToResource",
// In CF when creating RDS instance tag created
// with stack information adds metadata tags to
// Amazon RDS resource for use with cost
// allocation reporting to track cost of Amazon
// resources or to use in Condition statement
// of IAM policy for Amazon RDS
"cloudformation:UpdateStack"
// Update Custom AMI, upgrade EKS
],
"Resource": "*",
"Condition": {
"StringLike": {
"aws:RequestTag/Cloudera-Resource-Name": "crn:cdp:*"
}
}
},
{
"Sid": "AttachRole",
"Effect": "Allow",
"Action": "iam:AttachRolePolicy",
// Attach AWS managed policy ARNs to
// NodeInstance and EKS Service Roles
// See footnote 1.
"Resource": [
"arn:aws:iam::*:role/env-*-dwx-stack-EKSServiceRole-*",
"arn:aws:iam::*:role/env-*-dwx-stack-NodeInstanceRole-*"
],
"Condition": {
"ForAnyValue:ArnEqualsIfExists": {
"iam:PolicyARN": [
"arn:aws:iam::aws:policy/AmazonEKSClusterPolicy",
"arn:aws:iam::aws:policy/AmazonEKSServicePolicy",
"arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly",
"arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy",
"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy",
"arn:aws:iam::aws:policy/CloudWatchAgentAdminPolicy"
]
}
}
},
{
"Sid": "Role",
"Effect": "Allow",
"Action": [
"iam:AddRoleToInstanceProfile",
// Adds Node Instance IAM role to Ec2
// Node instance profile
"iam:CreateInstanceProfile",
// Creates Node Instance Profile
"iam:CreateRole",
// Creates Node Instance and EKS Service Roles
"iam:DeleteInstanceProfile",
// Delete Node Instance Profile at
// deactivation via cf stack creation
"iam:DeleteRole",
// Delete Node Instance and EKS Service
// Roles at deactivation
"iam:DeleteRolePolicy",
// Delete inline policies like efs, ebs,
// cluster-autoscaler etc created/attached
// to Node instance role at deactivation
"iam:DetachRolePolicy",
// Detach managed policy ARNs attached to Node
// Instance and EKS Service IAM roles at
// deactivation
"iam:GetRole",
// Retrieve details about Node Instance and EKS
// service IAM roles, recursively called by cf
"iam:GetRolePolicy",
// Get inline policy attached to Node Instance
// role
"iam:PassRole",
// Required permission to assign Node instance
// role to Ec2 Node instance profile
"iam:PutRolePolicy",
// Add inline policies like efs, ebs,
// cluster-autoscaler to Node Instance Role
"iam:RemoveRoleFromInstanceProfile"
//Removes IAM role from EC2 instance profile
],
"Resource": [
"arn:aws:iam::*:instance-profile/env-*-dwx-stack-NodeInstanceProfile-*",
"arn:aws:iam::*:role/env-*-dwx-stack-EKSServiceRole-*",
"arn:aws:iam::*:role/env-*-dwx-stack-NodeInstanceRole-*"
]
},
{
"Sid": "gocode",
"Effect": "Allow",
"Action": [
"acm:DescribeCertificate",
// ACM validation adds DNS records
"acm:ListCertificates",
//ACM validation adds DNS records
"ec2:DescribeKeyPairs",
// Validate CB env ssh key pair exists, not
// deleted inbetween; check for duplicate
// keypair in case of CDW created keypair
"ec2:DescribeDhcpOptions",
// See Point 2-3; see footnote 3
"ec2:DescribeSubnets",
// See Point 4 in footnote 3 URL
"ec2:DescribeVpcs",
// Validate ID of set of DHCP options
// associated with the VPC
"autoscaling:DescribeAutoScalingGroups",
// Get shared services/compute ASGs, update
// as part of AZRebalance
"iam:SimulatePrincipalPolicy",
// Simulate CF stack formation policies
"iam:ListAttachedRolePolicies",
// List policies attached to Ranger RAZ
// role; attach to NodeInstanceRole for
// S3 access if RAZ enabled and also to add cloudwatch access
"ec2:DescribeVpcAttribute",
// Validate enableDnsHostnames and
// enableDnsSupport VPC attributes;
// see 1 and 3 points in footnote 3 URL
"ec2:DescribeImages",
"ec2:CreateTags",
// Tag subnets and eks security group
// See footnote 2
"ec2:DeleteTags",
// Delete tags from shared subnet, delete any other tags
"ec2:CreateKeyPair",
// Create ssh Public key pair, pass to ec2
// instances. Not required if passed/set/
// reused via CB
"ec2:DescribeInstanceTypes"
// validate whether instance type is supported in a
// region or not
],
"Resource": "*"
},
{
"Sid": "gocodeStack",
"Effect": "Allow",
"Action": [
"cloudformation:DescribeStacks"
// Check the status of stack--error or
// completed, then install helm charts
],
"Resource": "arn:aws:cloudformation:*:*:stack/env-*-dwx-stack/*"
},
{
"Sid": "gocodeEKSCluster",
"Effect": "Allow",
"Action": [
"eks:UpdateClusterConfig",
// Update EKScluster config Enable
// Private EKS and Cloudwatch on EKS
"eks:UpdateClusterVersion",
// Updates an Amazon EKS cluster to
// the specified Kubernetes version.
"eks:DescribeUpdate"
// Check status of Updates--enable
// Private EKS and Cloudwatch on EKS
],
"Resource": "arn:aws:eks:*:*:cluster/env-*-dwx-stack-eks"
},
{
"Sid": "S3full",
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation"
// Needed for external bucket feature
// via UI, where we validate the VPC
// and bucket region are the same
],
"Resource": "*"
},
{
"Sid": "S3PutGetObject",
"Effect": "Allow",
"Action": [
"s3:PutObject",
// Put cf template in SDX bucket
"s3:GetObject"
// Get cf template while cf stack creation may
// not be needed for reduced mode
],
"Resource": [
"arn:aws:s3:::${DATALAKE_BUCKET}/cf-templates/*",
"arn:aws:s3:::${DATALAKE_BUCKET}/backup/*"
]
},
{
"Sid": "UpgradeCfStack",
"Effect": "Allow",
"Action": [
"cloudformation:GetTemplate",
// EKS upgrade gets Cloudformation
// template body and makew changes
"cloudformation:GetTemplateSummary",
// EKS upgrade loads CF template
// parameters to call method, then
// needs the permission
"eks:ListUpdates",
// Identifies resources related to eks change
"ec2:CreateLaunchTemplateVersion",
// launchTemplate cannot be changed,
// only new versions can be added
"autoscaling:TerminateInstanceInAutoScalingGroup",
// Upgrade terminates instances in old
// autoscalinggroup
"autoscaling:DescribeScheduledActions",
// Updatestack in control of instances
// of cluster autoscalinggroup, has permission
// to get status of group
"autoscaling:SetDesiredCapacity",
// DesiredCapacity can be changed with upgrade;
// will be set each time nodegroup is changed;
// nodegroup changes when related launchtemplate
// changes with new version of eks ami for
// upgrade, requiring permission
"ec2:DescribeInstances"
// Upgrade needs old/new instance status
],
"Resource": "*"
},
{
"Sid": "StartStopRDS",
"Effect": "Allow",
"Action": [
"rds:StartDBInstance",
// Stop RDS Instance while stopping the cluster
"rds:StopDBInstance",
// Start RDS Instance while starting the cluster
"rds:DescribeDBInstances"
// Describe RDBS (postgres) instance created by
// cf, used to detect quota of DB instance
],
"Resource": [
"arn:aws:rds:*:*:db:env-*-dwx-stack-rds",
"arn:aws:rds:*:*:subgrp:env-*-dwx-stack-dbsubnetgroup-*"
]
}
]
}