AWS IAM Policies

The Aviatrix Controller in AWS is launched by a CloudFormation script. During the launch time, two IAM roles are created, aviatrix-role-ec2 and aviatrix-role-app. Two associated IAM policies are also created, aviatrix-assume-role-policy and aviatrix-app-policy.

Automatically Updating IAM Policies

Login to the Controller. Go to Accounts -> Access Accounts. Select an account and click the 3 dots skewer, click Update Policy. The latest IAM policy will be updated for this account. Repeat this step for all other accounts.

Updating IAM Policies

This section describes how to update IAM policies manually. We recommend you to update automatically follow the instructions in the previous section.

These two roles and their associated policies allow the Controller to use AWS APIs to launch gateway instances, create new route entries and build networks.

As more features are added by Aviatrix with each release, the IAM Access Policy may need to be updated to allow the Controller to launch new services.


Please note that both the Aviatrix Controllers and the Aviatrix Gateways need access to the IAM policies.


Please ensure that IAM policies are consistent across all AWS accounts that the Controllers and Gateways are located in.

Updating the IAM policies with the latest one is done by replacing them. Follow these steps to update IAM policies for each AWS account that you set up in the Controller. Start with your primary account (the account you set up during onboarding) and then on to each secondary account if there is any.


  1. Login to the account on the AWS Console
  2. At Services, go to IAM
  3. Click Policies
  4. Search for aviatrix-app-policy
  5. Click into the aviatrix-app-policy
  6. Click Edit policy
  7. Click JSON
  8. Replace the entire text by the latest policy in this link
  9. Click Review policy to make sure there is no syntax error.
  10. Click Save changes to apply the new aviatrix-app-policy.
  11. It may take a few minutes for the policy to take effect.

Check IAM Policy Status

The aviatrix-app-policy is updated sometimes for new services offered by Aviatrix.

You can view if your IAM policy needs to be updated by going to Settings -> Advanced -> AWS IAM Policy Update. The Aviatrix Controller polls all AWS accounts upon each release to see if there is a new IAM policy available that you need to update for your accounts. Note: if you do not run any new features, chances are you do not need to update the IAM policies.

You can also check individual account IAM policy status by selecting the account and clicking Check.

To update IAM policy, follow the instructions here.