Customer-Managed VPC & IAM with Restrictions
Cloud Credential¶
Use this stripped down, minimal IAM Policy if you have pre-existing AWS resources that you need to use for the Amazon EKS Cluster. With this policy example, the customer is expected to create and provide references to the following:
- VPCs
- Subnets
- Route Table
- Internet Gateway
- NatGateway
- IAM Roles
- IAM Service Roles
- IAM Instance Profiles
Additional Restrictions
Allow updates and deletes on resources ONLY in specific VPCs OR with specific AWS tags.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:GetInstanceProfile",
"iam:ListInstanceProfiles",
"iam:ListInstanceProfilesForRole",
"iam:GetOpenIDConnectProvider",
"iam:TagRole",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:ListRoleTags",
"iam:ListPolicyVersions",
"iam:GetPolicy",
"iam:GetPolicyVersion"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"eks.amazonaws.com",
"ec2.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"cloudformation:GetTemplate",
"cloudformation:ListStacks",
"cloudformation:ListStackResources",
"cloudformation:ListStackSets",
"cloudformation:ListChangeSets",
"cloudformation:DescribeStacks",
"cloudformation:DescribeStackResources",
"cloudformation:DescribeStackResource",
"cloudformation:DescribeStackEvents",
"cloudformation:DescribeChangeSet",
"cloudformation:DescribeStackSet",
"cloudformation:DeleteStack",
"cloudformation:DeleteChangeSet",
"cloudformation:DeleteStackSet",
"cloudformation:CreateStackSet",
"cloudformation:UpdateStackSet",
"cloudformation:CreateChangeSet",
"cloudformation:ExecuteChangeSet",
"cloudformation:CreateStack",
"cloudformation:UpdateStack"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"eks:CreateAddon",
"eks:CreateCluster",
"eks:CreateFargateProfile",
"eks:DescribeNodegroup",
"eks:DescribeCluster",
"eks:DescribeAddon",
"eks:DescribeAddonVersions",
"eks:DescribeFargateProfile",
"eks:DescribeUpdate",
"eks:ListUpdates",
"eks:UpdateClusterVersion",
"eks:UpdateClusterConfig",
"eks:ListClusters",
"eks:ListNodegroups",
"eks:ListAddons",
"eks:ListFargateProfiles",
"eks:ListTagsForResource",
"eks:CreateNodegroup",
"eks:TagResource"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"eks:AccessKubernetesApi",
"eks:DeleteCluster",
"eks:UntagResource",
"eks:UpdateAddon",
"eks:UpdateNodegroupConfig",
"eks:UpdateNodegroupVersion",
"eks:DeleteAddon",
"eks:DeleteFargateProfile",
"eks:DeleteNodegroup"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/<KEY>": "<VALUE>"
}
}
},
{
"Effect": "Allow",
"Action": [
"autoscaling:CreateLaunchConfiguration",
"autoscaling:CreateAutoScalingGroup",
"autoscaling:CreateOrUpdateTags",
"autoscaling:DeleteTags",
"autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeScheduledActions",
"autoscaling:DeleteLaunchConfiguration",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeScalingActivities"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"autoscaling:UpdateAutoScalingGroup",
"autoscaling:TerminateInstanceInAutoScalingGroup",
"autoscaling:SetDesiredCapacity",
"autoscaling:SuspendProcesses",
"autoscaling:DeleteAutoScalingGroup"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"autoscaling:ResourceTag/<KEY>": "<VALUE>"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:DeleteTags",
"ec2:ReleaseAddress",
"ec2:DescribeTags",
"ec2:CreateTags",
"ec2:AllocateAddress",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeImages",
"ec2:describeAddresses",
"ec2:DescribeRouteTables",
"ec2:DescribeVolumes",
"ec2:CreateLaunchTemplate",
"ec2:DescribeVpcAttribute",
"ec2:DescribeInternetGateways",
"ec2:DescribeNatGateways",
"ec2:DescribeVpcs",
"ec2:DescribeSecurityGroups",
"ec2:DescribeKeyPairs",
"ec2:DescribeInstances",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeSubnets",
"ec2:DescribeLaunchTemplateVersions",
"ec2:CreateSecurityGroup",
"ec2:DeleteLaunchTemplate",
"ec2:CreateLaunchTemplateVersion",
"ec2:RunInstances",
"ec2:ImportKeyPair",
"ec2:DescribeImageAttribute",
"ec2:DescribeInstanceTypeOfferings"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:RevokeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:DeleteSecurityGroup"
],
"Resource": "arn:aws:ec2:*:*:security-group/*",
"Condition": {
"ArnEquals": {
"ec2:Vpc": "arn:aws:ec2:<AWS_REGION>:<ACCOUNT_ID>:vpc/<vpc-id>"
}
}
},
{
"Effect": "Allow",
"Action": "ssm:GetParameter",
"Resource": "arn:aws:ssm:*:*:parameter/*"
}
]
}
Restricted IAM Policies on Resource ARN¶
Below is short snippet example for restricted Resource ARN
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "IAMRequesttags",
"Effect": "Allow",
"Action": [
"iam:TagRole",
"iam:CreateRole"
],
"Resource": "arn:aws:iam::<account-id>:role/*",
"Condition": {
"Null": {
"aws:RequestTag/<KEY>": "<VALUE>",
"aws:RequestTag/<KEY>": "<VALUE>"
}
}
},
{
"Sid": "IAMOIDC",
"Effect": "Allow",
"Action": [
"iam:CreateOpenIDConnectProvider",
"iam:TagOpenIDConnectProvider"
],
"Resource": "arn:aws:iam::<account-id>:oidc-provider/*",
"Condition": {
"Null": {
"aws:RequestTag/<KEY>": "<VALUE>",
"aws:RequestTag/<KEY>": "<VALUE>"
}
}
},
{
"Sid": "IAMResourcetags",
"Effect": "Allow",
"Action": [
"iam:DeleteRole",
"iam:TagRole",
"iam:PutRolePolicy",
"iam:DetachRolePolicy",
"iam:DeleteRolePolicy",
"iam:CreateRole"
],
"Resource": "arn:aws:iam::<account-id>:role/*",
"Condition": {
"Null": {
"iam:ResourceTag/<KEY>": "<VALUE>",
"iam:ResourceTag/<KEY>": "<VALUE>"
}
}
},
{
"Sid": "IAMAttachRolePolicy",
"Effect": "Allow",
"Action": [
"iam:AttachRolePolicy"
],
"Resource": "arn:aws:iam::<account-id>:role/*",
"Condition": {
"Null": {
"iam:ResourceTag/<KEY>": "<VALUE>",
"iam:ResourceTag/<KEY>": "<VALUE>"
},
"ArnLike": {
"iam:PolicyARN": "arn:aws:iam::*:policy/km*"
}
}
},
{
"Sid": "IAMOIDCResourcetags",
"Effect": "Allow",
"Action": [
"iam:CreateOpenIDConnectProvider",
"iam:TagOpenIDConnectProvider",
"iam:DeleteOpenIDConnectProvider"
],
"Resource": "arn:aws:iam::<account-id>:oidc-provider/*",
"Condition": {
"Null": {
"aws:ResourceTag/<KEY>": "<VALUE>",
"aws:ResourceTag/<KEY>": "<VALUE>"
}
}
},
{
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"eks.amazonaws.com",
"ec2.amazonaws.com"
]
},
"ArnLike": {
"iam:AssociatedResourceArn": "arn:aws:iam::<account-id>:role/rafay-*"
}
}
},
{
"Effect": "Allow",
"Action": [
"iam:CreateInstanceProfile",
"iam:GetOpenIDConnectProvider",
"iam:ListOpenIDConnectProviderTags",
"iam:DeleteInstanceProfile",
"iam:GetInstanceProfile",
"iam:GetRole",
"iam:RemoveRoleFromInstanceProfile",
"iam:ListInstanceProfiles",
"iam:AddRoleToInstanceProfile",
"iam:ListInstanceProfilesForRole",
"iam:GetRolePolicy",
"iam:DeleteServiceLinkedRole",
"iam:CreateServiceLinkedRole",
"iam:ListRoleTags",
"iam:ListAttachedRolePolicies"
],
"Resource": "*"
}
]
}
Restricted IAM Policies on Tags¶
Below is short snippet example for controlled Tags
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:GetOpenIDConnectProvider",
"iam:GetRole",
"iam:GetInstanceProfile",
"iam:GetRolePolicy",
"iam:ListOpenIDConnectProviderTags",
"iam:ListInstanceProfiles",
"iam:ListInstanceProfilesForRole",
"iam:ListRoleTags",
"iam:ListAttachedRolePolicies",
"iam:TagRole"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"eks.amazonaws.com",
"ec2.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"iam:CreateOpenIDConnectProvider",
"iam:TagOpenIDConnectProvider"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestTag/<KEY>": "<VALUE>"
}
}
},
{
"Effect": "Allow",
"Action": [
"iam:DeleteOpenIDConnectProvider"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/<KEY>": "<VALUE>"
}
}
},
{
"Effect": "Allow",
"Action": [
"cloudformation:ListStacks",
"cloudformation:ListStackResources",
"cloudformation:ListStackSets",
"cloudformation:ListChangeSets",
"cloudformation:DescribeStacks",
"cloudformation:DescribeStackResources",
"cloudformation:DescribeStackResource",
"cloudformation:DescribeStackEvents",
"cloudformation:DescribeChangeSet",
"cloudformation:DescribeStackSet",
"cloudformation:GetTemplate"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"cloudformation:CreateStackSet",
"cloudformation:CreateStack",
"cloudformation:CreateChangeSet"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestTag/<KEY>": "<VALUE>"
}
}
},
{
"Effect": "Allow",
"Action": [
"cloudformation:DeleteStackSet",
"cloudformation:UpdateStackSet",
"cloudformation:UpdateStack",
"cloudformation:DeleteStack",
"cloudformation:DeleteChangeSet",
"cloudformation:ExecuteChangeSet"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/<KEY>": "<VALUE>"
}
}
},
{
"Effect": "Allow",
"Action": [
"eks:AccessKubernetesApi",
"eks:DescribeNodegroup",
"eks:DescribeCluster",
"eks:DescribeAddon",
"eks:DescribeAddonVersions",
"eks:DescribeFargateProfile",
"eks:DescribeUpdate",
"eks:ListTagsForResource",
"eks:ListUpdates",
"eks:ListClusters",
"eks:ListNodegroups",
"eks:ListAddons",
"eks:ListFargateProfiles"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"eks:CreateCluster",
"eks:CreateNodegroup",
"eks:CreateFargateProfile"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestTag/<KEY>": "<VALUE>"
}
}
},
{
"Effect": "Allow",
"Action": [
"eks:TagResource"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestTag/<KEY>": "<VALUE>"
}
}
},
{
"Effect": "Allow",
"Action": [
"eks:UpdateClusterVersion",
"eks:UpdateClusterConfig",
"eks:DeleteCluster",
"eks:UpdateAddon",
"eks:UpdateNodegroupConfig",
"eks:UpdateNodegroupVersion",
"eks:CreateAddon",
"eks:DeleteAddon",
"eks:DeleteNodegroup",
"eks:DeleteFargateProfile",
"eks:UntagResource"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/<KEY>": "<VALUE>"
}
}
},
{
"Effect": "Allow",
"Action": [
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeScheduledActions",
"autoscaling:DescribeScalingActivities"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"autoscaling:CreateOrUpdateTags",
"autoscaling:CreateLaunchConfiguration",
"autoscaling:CreateAutoScalingGroup"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestTag/<KEY>": "<VALUE>"
}
}
},
{
"Effect": "Allow",
"Action": [
"autoscaling:TerminateInstanceInAutoScalingGroup",
"autoscaling:SetDesiredCapacity",
"autoscaling:UpdateAutoScalingGroup",
"autoscaling:DeleteAutoScalingGroup",
"autoscaling:SuspendProcesses",
"autoscaling:DeleteTags",
"autoscaling:DeleteLaunchConfiguration"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/<KEY>": "<VALUE>"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeVpcAttribute",
"ec2:DescribeInternetGateways",
"ec2:DescribeTags",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroups",
"ec2:DescribeVolumes",
"ec2:DescribeSubnets",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeImages",
"ec2:describeAddresses",
"ec2:DescribeVpcs",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeLaunchTemplateVersions",
"ec2:DescribeImageAttribute",
"ec2:DescribeKeyPairs",
"ec2:DescribeInstances",
"ec2:DescribeInstanceTypeOfferings"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:RunInstances"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateLaunchTemplate",
"ec2:CreateLaunchTemplateVersion",
"ec2:DeleteLaunchTemplate",
"ec2:ImportKeyPair"
],
"Resource": "*",
"Condition": {
"ForAllValues:StringEquals": {
"aws:TagKeys": "<KEY>"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:DeleteTags",
"ec2:AssociateRouteTable",
"ec2:ReleaseAddress",
"ec2:AllocateAddress"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/<KEY>": "<VALUE>"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestTag/<KEY>": "<VALUE>"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateSecurityGroup"
],
"Resource": "*",
"Condition": {
"ForAllValues:StringEquals": {
"aws:TagKeys": "<KEY>"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:DeleteSecurityGroup",
"ec2:RevokeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupIngress"
],
"Resource": "*",
"Condition": {
"ForAllValues:StringEquals": {
"aws:TagKeys": ["<KEY>","aws:eks:cluster-name"]
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:ModifySecurityGroupRules",
"ec2:UpdateSecurityGroupRuleDescriptionsIngress",
"ec2:UpdateSecurityGroupRuleDescriptionsEgress"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/<KEY>": "<VALUE>"
}
}
},
{
"Effect": "Allow",
"Action": "ssm:GetParameter",
"Resource": "arn:aws:ssm:*:*:parameter/aws/service/*"
},
{
"Effect": "Allow",
"Action": [
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"kms:CreateGrant"
],
"Resource": "*"
}
]
}
Note
For customers who will manage their own IAM Roles and Policies, (3) ARNs are required when provisioning managed K8s clusters.
- Service Role ARN
- Instance Profile ARN
- Instance Role ARN