AWS IAM Policies

Aviatrix Controller in AWS is launched by a CloudFormation script. During the launch time, two IAM roles are created, aviatrix-role-ec2 and aviatrix-role-app. Two associated IAM policies are also created, aviatrix-assume-role-policy and aviatrix-app-policy.

Update IAM Policies

These two roles and its associated policies allow the Controller to use AWS APIs to launch gateway instances, create new route entries and build networks.

As more features are added by Aviatrix Controller for each release, the IAM Access Policy may need to be updated to allow the Controller to launch new services.

To update by replacing the current one with the latest default policy, follow these steps:

1. Update Primary Account IAM Policies

  1. login to your Primary Account on AWS Console (typically this is the account you launch your Controller),
  2. At Services, go to IAM
  3. Click Policies
  4. Search for “aviatrix-app-policy”
  5. Click into the “aviatrix-app-policy”
  6. Click “Edit policy”
  7. Click JSON
  8. Replace the entire text by the latest policy in this link
  9. Click “Review policy” to make sure there is no syntax error.
  10. Click “Save changes” to apply the new aviatrix-app-policy.

2. Update Secondary Account IAM Policies

Currently there is no need to update Secondary Access Account IAM policies.

3. Aviatrix Services and IAM Policies

If you enable Amazon GuardDuty, the Controller’s IAM policy needs to be updated.