Privileges Assigned to the Aviatrix IAM Policy
When you onboard AWS to Aviatrix PaaS, Aviatrix creates a policy and roles needed to access your AWS resources. Aviatrix PaaS follows the best practice of least privilege when creating the IAM policy and roles.
This means that the policy grants only the permissions required for Aviatrix PaaS to manage AWS resources effectively, without granting excessive permissions that could lead to security vulnerabilities.
Aviatrix IAM Policy and Roles
When you onboard AWS, Aviatrix creates IAM policies and roles with the following names:
-
aviatrix-role-appThe role that allows Aviatrix PaaS to perform actions in your AWS account.
-
aviatrix-platform-app-policyThe policy attached to the
aviatrix-role-approle. -
aviatrix-role-ec2Minimal IAM role for EC2 instances deployed by Aviatrix. The name of the role must match
AviatrixPrincipalArn, so the name is extracted from the ARN.
The IAM policy is designed to provide the minimum necessary permissions for Aviatrix PaaS to manage AWS resources effectively. The policy ensures that management permissions only apply to Aviatrix-created networking resources, preventing any impact on your existing AWS resources. It includes permissions for the following actions:
-
Assume Role: Use STS to assume a role in your AWS account
-
Discover Resources: Enumerate and list compute, networking, and quota information
-
Manage Network Infrastructure: Create and configure VPCs, transit gateways, and more
-
Manage EC2 Instances: Deploy and configure Aviatrix gateways
-
Tag Resources: Apply "Aviatrix-Created-Resource" tag to all infrastructure it creates
Example IAM Policy
The following is an example of the IAM policy created by Aviatrix when you onboard AWS. This policy grants read-only access to discovery actions and allows management of Aviatrix-created networking components, EC2 instances, and tagging resources.
{
"Version": "2012-10-17",
"Statement": [
{
// Allows managing EC2 networking components if tagged with Aviatrix-specific tag
"Action": [
"ec2:Describe*",
"ec2:Get*",
"ec2:Search*",
"elasticloadbalancing:Describe*",
"route53:List*",
"route53:Get*",
"sqs:Get*",
"sqs:List*",
"sns:List*",
"s3:List*",
"s3:Get*",
"iam:List*",
"iam:Get*",
"directconnect:Describe*",
"guardduty:Get*",
"guardduty:List*",
"ram:Get*",
"ram:List*",
"networkmanager:Get*",
"networkmanager:List*"
],
// Allows managing EC2 networking components if tagged with Aviatrix-specific tag
"Resource": "*",
"Effect": "Allow",
"Sid": "ReadOnlyDiscoveryAccess"
},
{
"Action": [
"ec2:*InternetGateway*",
"ec2:*Route*",
"ec2:*NetworkInterface*"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Aviatrix-Created-Resource": "Do-Not-Delete-Aviatrix-Created-Resource"
}
},
"Effect": "Allow",
"Sid": "NetworkingComponents"
},
{
// Allows creation and deletion of EC2 security groups and ingress rules
"Sid": "EC2SecurityGroupManagement",
"Effect": "Allow",
"Action": [
"ec2:CreateSecurityGroup",
"ec2:DeleteSecurityGroup",
"ec2:AuthorizeSecurityGroupIngress"
],
"Resource": [
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:vpc/*"
]
},
{
// Grants permissions to manage EC2 instances and related resources
"Action": [
"ec2:*Instance*",
"ec2:AllocateAddress",
"ec2:AssociateAddress",
"ec2:ReleaseAddress"
],
"Resource": [
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:subnet/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:key-pair/*",
"arn:aws:ec2:*:*:image/*",
"arn:aws:ec2:*:*:elastic-ip/*"
],
"Effect": "Allow",
"Sid": "EC2InstanceManagement"
},
{
// Allows launching EC2 instances with required tags
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:placement-group/*",
"arn:aws:ec2:*:*:snapshot/*",
"arn:aws:ec2:*:*:launch-template/*"
],
"Condition": {
"StringEquals": {
"ec2:CreateAction": [
"RunInstances"
]
},
"ForAllValues:StringEquals": {
"aws:TagKeys": [
"Aviatrix-Created-Resource",
"Name",
"Type"
]
}
}
},
{
// Allows tagging of AWS resources
"Action": [
"ec2:CreateTags",
"ec2:DeleteTags"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "EC2TAGManagement"
},
{
// Allows creation and deletion of EC2 key pairs
"Sid": "EC2KeyPairManagement",
"Effect": "Allow",
"Action": [
"ec2:CreateKeyPair",
"ec2:DeleteKeyPair"
],
"Resource": "*"
},
{
// Allows managing CloudWatch log delivery
"Action": [
"logs:CreateLogDelivery",
"logs:DeleteLogDelivery"
],
"Resource": "*",
// Allows managing IAM roles and instance profiles prefixed with 'aviatrix-'
"Effect": "Allow"
},
{
"Action": [
"iam:PassRole",
"iam:AddRoleToInstanceProfile",
"iam:CreateInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:CreateServiceLinkedRole",
"iam:TagInstanceProfile"
],
"Resource": [
"arn:aws:iam::*:role/aviatrix-*",
"arn:aws:iam::*:instance-profile/aviatrix-*"
],
// Allows managing IAM policy versions
"Effect": "Allow"
},
{
"Action": [
"iam:DeletePolicyVersion",
"iam:CreatePolicyVersion"
],
"Resource": "*",
// Grants read-only access to AWS CloudTrail for auditing
"Effect": "Allow"
},
{
"Action": [
"cloudtrail:Get*",
"cloudtrail:Describe*",
"cloudtrail:List*",
"cloudtrail:LookupEvents"
],
"Resource": "*",
// Grants read-only access to Amazon EKS clusters
"Effect": "Allow"
},
{
"Action": [
"eks:ListClusters",
"eks:DescribeCluster"
],
"Resource": "*",
"Effect": "Allow"
}
]
}{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:Describe*",
"ec2:Get*",
"ec2:Search*",
"elasticloadbalancing:Describe*",
"route53:List*",
"route53:Get*",
"sqs:Get*",
"sqs:List*",
"sns:List*",
"s3:List*",
"s3:Get*",
"iam:List*",
"iam:Get*",
"directconnect:Describe*",
"guardduty:Get*",
"guardduty:List*",
"ram:Get*",
"ram:List*",
"networkmanager:Get*",
"networkmanager:List*"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "ReadOnlyDiscoveryAccess"
},
{
"Action": [
"ec2:*InternetGateway*",
"ec2:*Route*",
"ec2:*NetworkInterface*"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Aviatrix-Created-Resource": "Do-Not-Delete-Aviatrix-Created-Resource"
}
},
"Effect": "Allow",
"Sid": "NetworkingComponents"
},
{
"Sid": "EC2SecurityGroupManagement",
"Effect": "Allow",
"Action": [
"ec2:CreateSecurityGroup",
"ec2:DeleteSecurityGroup",
"ec2:AuthorizeSecurityGroupIngress"
],
"Resource": [
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:vpc/*"
]
},
{
"Action": [
"ec2:*Instance*",
"ec2:AllocateAddress",
"ec2:AssociateAddress",
"ec2:ReleaseAddress"
],
"Resource": [
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:subnet/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:key-pair/*",
"arn:aws:ec2:*:*:image/*",
"arn:aws:ec2:*:*:elastic-ip/*"
],
"Effect": "Allow",
"Sid": "EC2InstanceManagement"
},
{
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:placement-group/*",
"arn:aws:ec2:*:*:snapshot/*",
"arn:aws:ec2:*:*:launch-template/*"
],
"Condition": {
"StringEquals": {
"ec2:CreateAction": [
"RunInstances"
]
},
"ForAllValues:StringEquals": {
"aws:TagKeys": [
"Aviatrix-Created-Resource",
"Name",
"Type"
]
}
}
},
{
"Action": [
"ec2:CreateTags",
"ec2:DeleteTags"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "EC2TAGManagement"
},
{
"Sid": "EC2KeyPairManagement",
"Effect": "Allow",
"Action": [
"ec2:CreateKeyPair",
"ec2:DeleteKeyPair"
],
"Resource": "*"
},
{
"Action": [
"logs:CreateLogDelivery",
"logs:DeleteLogDelivery"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"iam:PassRole",
"iam:AddRoleToInstanceProfile",
"iam:CreateInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:CreateServiceLinkedRole",
"iam:TagInstanceProfile"
],
"Resource": [
"arn:aws:iam::*:role/aviatrix-*",
"arn:aws:iam::*:instance-profile/aviatrix-*"
],
"Effect": "Allow"
},
{
"Action": [
"iam:DeletePolicyVersion",
"iam:CreatePolicyVersion"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"cloudtrail:Get*",
"cloudtrail:Describe*",
"cloudtrail:List*",
"cloudtrail:LookupEvents"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"eks:ListClusters",
"eks:DescribeCluster"
],
"Resource": "*",
"Effect": "Allow"
}
]
}