AWS IAM Policies

Aviatrix Controller in AWS is launched by a CloudFormation script. During the launch time, two IAM roles are created, aviatrix-role-ec2 and aviatrix-role-app. Two associated IAM policies are also created, aviatrix-assume-role-policy and aviatrix-app-policy.

Updating IAM Policies

These two roles and its associated policies allow the Controller to use AWS APIs to launch gateway instances, create new route entries and build networks.

As more features are added by Aviatrix with each release, the IAM Access Policy may need to be updated to allow the Controller to launch new services.


Please note that both the Aviatrix Controllers and the Aviatrix Gateways need access to the IAM policies.


Please ensure that IAM policies are consistent across all AWS accounts that the Controllers and Gateways are located in.

To update by replacing the current one with the latest default policy, follow these steps for each AWS account that is linked in your Controller. Start with your primary account and then on to each secondary account.


  1. Login to the account on the AWS Console
  2. At Services, go to IAM
  3. Click Policies
  4. Search for aviatrix-app-policy
  5. Click into the aviatrix-app-policy
  6. Click Edit policy
  7. Click JSON
  8. Replace the entire text by the latest policy in this link
  9. Click Review policy to make sure there is no syntax error.
  10. Click Save changes to apply the new aviatrix-app-policy.