Skip to content

Customer-Managed VPC & IAM with Restrictions

Cloud Credential

Use this stripped down, minimal IAM Policy if you have pre-existing AWS resources that you need to use for the Amazon EKS Cluster. With this policy example, the customer is expected to create and provide references to the following:

  • VPCs
  • Subnets
  • Route Table
  • Internet Gateway
  • NatGateway
  • IAM Roles
  • IAM Service Roles
  • IAM Instance Profiles

Additional Restrictions

Allow updates and deletes on resources ONLY in specific VPCs OR with specific AWS tags.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iam:GetInstanceProfile",
                "iam:ListInstanceProfiles",
                "iam:ListInstanceProfilesForRole",
                "iam:GetOpenIDConnectProvider",
                "iam:TagRole",
                "iam:GetRole",
                "iam:GetRolePolicy",
                "iam:ListAttachedRolePolicies",
                "iam:ListRoleTags"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:PassRole"
            ],
            "Resource": "*",
            "Condition": {
                 "StringEquals": {
                     "iam:PassedToService": [
                         "eks.amazonaws.com",
                         "ec2.amazonaws.com"
                     ]
                 }
             }
        },
        {
            "Effect": "Allow",
            "Action": [
                "cloudformation:GetTemplate",
                "cloudformation:ListStacks",
                "cloudformation:ListStackResources",
                "cloudformation:ListStackSets",
                "cloudformation:ListChangeSets",
                "cloudformation:DescribeStacks",
                "cloudformation:DescribeStackResources",
                "cloudformation:DescribeStackResource",
                "cloudformation:DescribeStackEvents",
                "cloudformation:DescribeChangeSet",
                "cloudformation:DescribeStackSet",
                "cloudformation:DeleteStack",
                "cloudformation:DeleteChangeSet",
                "cloudformation:DeleteStackSet",
                "cloudformation:CreateStackSet",
                "cloudformation:UpdateStackSet",
                "cloudformation:CreateChangeSet",
                "cloudformation:ExecuteChangeSet",
                "cloudformation:CreateStack",
                "cloudformation:UpdateStack"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "eks:CreateAddon",
                "eks:CreateCluster",
                "eks:CreateFargateProfile",
                "eks:DescribeNodegroup",
                "eks:DescribeCluster",
                "eks:DescribeAddon",
                "eks:DescribeAddonVersions",
                "eks:DescribeFargateProfile",
                "eks:DescribeUpdate",
                "eks:ListUpdates",
                "eks:UpdateClusterVersion",
                "eks:UpdateClusterConfig",
                "eks:ListClusters",
                "eks:ListNodegroups",
                "eks:ListAddons",
                "eks:ListFargateProfiles",
                "eks:ListTagsForResource",
                "eks:CreateNodegroup",
                "eks:TagResource"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "eks:AccessKubernetesApi",
                "eks:DeleteCluster",
                "eks:UntagResource",
                "eks:UpdateAddon",
                "eks:UpdateNodegroupConfig",
                "eks:UpdateNodegroupVersion",
                "eks:DeleteAddon",
                "eks:DeleteFargateProfile",
                "eks:DeleteNodegroup"
            ],
            "Resource": "*",
            "Condition": {
                 "StringEquals": {
                     "aws:ResourceTag/<KEY>": "<VALUE>"
                 }
             }
        },
        {
            "Effect": "Allow",
            "Action": [
                "autoscaling:CreateLaunchConfiguration",
                "autoscaling:CreateAutoScalingGroup",
                "autoscaling:CreateOrUpdateTags",
                "autoscaling:DeleteTags",
                "autoscaling:DescribeLaunchConfigurations",
                "autoscaling:DescribeScheduledActions",
                "autoscaling:DeleteLaunchConfiguration",
                "autoscaling:DescribeAutoScalingGroups",
                "autoscaling:DescribeScalingActivities"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "autoscaling:UpdateAutoScalingGroup",
                "autoscaling:TerminateInstanceInAutoScalingGroup",
                "autoscaling:SetDesiredCapacity",
                "autoscaling:SuspendProcesses",
                "autoscaling:DeleteAutoScalingGroup"
            ],
            "Resource": "*",
            "Condition": {
                 "StringEquals": {
                     "autoscaling:ResourceTag/<KEY>": "<VALUE>"
                 }
             }
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DeleteTags",
                "ec2:ReleaseAddress",
                "ec2:DescribeTags",
                "ec2:CreateTags",
                "ec2:AllocateAddress",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeImages",
                "ec2:describeAddresses",
                "ec2:DescribeRouteTables",
                "ec2:DescribeVolumes",
                "ec2:CreateLaunchTemplate",
                "ec2:DescribeVpcAttribute",
                "ec2:DescribeInternetGateways",
                "ec2:DescribeNatGateways",
                "ec2:DescribeVpcs",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeKeyPairs",
                "ec2:DescribeInstances",
                "ec2:DescribeLaunchTemplates",
                "ec2:DescribeSubnets",
                "ec2:DescribeLaunchTemplateVersions",
                "ec2:CreateSecurityGroup",
                "ec2:DeleteLaunchTemplate",
                "ec2:CreateLaunchTemplateVersion",
                "ec2:RunInstances",
                "ec2:ImportKeyPair",
                "ec2:DescribeImageAttribute",
                "ec2:DescribeInstanceTypeOfferings"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:RevokeSecurityGroupEgress",
                "ec2:AuthorizeSecurityGroupEgress",
                "ec2:RevokeSecurityGroupIngress",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:DeleteSecurityGroup"
            ],
            "Resource": "arn:aws:ec2:*:*:security-group/*",
            "Condition": {
                "ArnEquals": {
                    "ec2:Vpc": "arn:aws:ec2:<AWS_REGION>:<ACCOUNT_ID>:vpc/<vpc-id>"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": "ssm:GetParameter",
            "Resource": "arn:aws:ssm:*:*:parameter/*"
        }
    ]
}

Restricted IAM Policies on Resource ARN

Below is short snippet example for restricted Resource ARN

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "IAMRequesttags",
        "Effect": "Allow",
        "Action": [
            "iam:TagRole",
            "iam:CreateRole"
        ],
        "Resource": "arn:aws:iam::<account-id>:role/*",
        "Condition": {
            "Null": {
                "aws:RequestTag/<KEY>": "<VALUE>",
                "aws:RequestTag/<KEY>": "<VALUE>"
            }
        }
    },
    {
        "Sid": "IAMOIDC",
        "Effect": "Allow",
        "Action": [
            "iam:CreateOpenIDConnectProvider",
            "iam:TagOpenIDConnectProvider"
        ],
        "Resource": "arn:aws:iam::<account-id>:oidc-provider/*",
        "Condition": {
            "Null": {
                "aws:RequestTag/<KEY>": "<VALUE>",
                "aws:RequestTag/<KEY>": "<VALUE>"
            }
        }
    },
    {
        "Sid": "IAMResourcetags",
        "Effect": "Allow",
        "Action": [
            "iam:DeleteRole",
            "iam:TagRole",
            "iam:PutRolePolicy",
            "iam:DetachRolePolicy",
            "iam:DeleteRolePolicy",
            "iam:CreateRole"
        ],
        "Resource": "arn:aws:iam::<account-id>:role/*",
        "Condition": {
            "Null": {
                "iam:ResourceTag/<KEY>": "<VALUE>",
                "iam:ResourceTag/<KEY>": "<VALUE>"
            }
        }
    },
    {
        "Sid": "IAMAttachRolePolicy",
        "Effect": "Allow",
        "Action": [
            "iam:AttachRolePolicy"
        ],
        "Resource": "arn:aws:iam::<account-id>:role/*",
        "Condition": {
            "Null": {
                "iam:ResourceTag/<KEY>": "<VALUE>",
                "iam:ResourceTag/<KEY>": "<VALUE>"
            },
            "ArnLike": {
                "iam:PolicyARN": "arn:aws:iam::*:policy/km*"
            }
        }
    },
    {
        "Sid": "IAMOIDCResourcetags",
        "Effect": "Allow",
        "Action": [
            "iam:CreateOpenIDConnectProvider",
            "iam:TagOpenIDConnectProvider",
            "iam:DeleteOpenIDConnectProvider"
        ],
        "Resource": "arn:aws:iam::<account-id>:oidc-provider/*",
        "Condition": {
            "Null": {
                "aws:ResourceTag/<KEY>": "<VALUE>",
                "aws:ResourceTag/<KEY>": "<VALUE>"
            }
        }
    },
    {
        "Effect": "Allow",
        "Action": [
            "iam:PassRole"
        ],
        "Resource": "*",
        "Condition": {
             "StringEquals": {
                 "iam:PassedToService": [
                     "eks.amazonaws.com",
                     "ec2.amazonaws.com"
                 ]
             },
            "ArnLike": {
                "iam:AssociatedResourceArn": "arn:aws:iam::<account-id>:role/rafay-*"
            }
         }
    },
    {
        "Effect": "Allow",
        "Action": [
            "iam:CreateInstanceProfile",
            "iam:GetOpenIDConnectProvider",
            "iam:ListOpenIDConnectProviderTags",
            "iam:DeleteInstanceProfile",
            "iam:GetInstanceProfile",
            "iam:GetRole",
            "iam:RemoveRoleFromInstanceProfile",
            "iam:ListInstanceProfiles",
            "iam:AddRoleToInstanceProfile",
            "iam:ListInstanceProfilesForRole",
            "iam:GetRolePolicy",
            "iam:DeleteServiceLinkedRole",
            "iam:CreateServiceLinkedRole",
            "iam:ListRoleTags",
            "iam:ListAttachedRolePolicies"
        ],
        "Resource": "*"
    }
    ]
  }

Restricted IAM Policies on Tags

Below is short snippet example for controlled Tags

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iam:GetOpenIDConnectProvider",
                "iam:GetRole",
                "iam:GetInstanceProfile",
                "iam:GetRolePolicy",
                "iam:ListOpenIDConnectProviderTags",
                "iam:ListInstanceProfiles",
                "iam:ListInstanceProfilesForRole",
                "iam:ListRoleTags",
                "iam:ListAttachedRolePolicies",
                "iam:TagRole"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:PassRole"
            ],
            "Resource": "*",
            "Condition": {
                 "StringEquals": {
                     "iam:PassedToService": [
                         "eks.amazonaws.com",
                         "ec2.amazonaws.com"
                     ]
                 }
             }
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:CreateOpenIDConnectProvider",
                "iam:TagOpenIDConnectProvider"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:RequestTag/<KEY>": "<VALUE>"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:DeleteOpenIDConnectProvider"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/<KEY>": "<VALUE>"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "cloudformation:ListStacks",
                "cloudformation:ListStackResources",
                "cloudformation:ListStackSets",
                "cloudformation:ListChangeSets",
                "cloudformation:DescribeStacks",
                "cloudformation:DescribeStackResources",
                "cloudformation:DescribeStackResource",
                "cloudformation:DescribeStackEvents",
                "cloudformation:DescribeChangeSet",
                "cloudformation:DescribeStackSet",
                "cloudformation:GetTemplate"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "cloudformation:CreateStackSet",
                "cloudformation:CreateStack",
                "cloudformation:CreateChangeSet"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:RequestTag/<KEY>": "<VALUE>"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "cloudformation:DeleteStackSet",
                "cloudformation:UpdateStackSet",
                "cloudformation:UpdateStack",
                "cloudformation:DeleteStack",
                "cloudformation:DeleteChangeSet",
                "cloudformation:ExecuteChangeSet"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/<KEY>": "<VALUE>"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "eks:AccessKubernetesApi",
                "eks:DescribeNodegroup",
                "eks:DescribeCluster",
                "eks:DescribeAddon",
                "eks:DescribeAddonVersions",
                "eks:DescribeFargateProfile",
                "eks:DescribeUpdate",
                "eks:ListTagsForResource",
                "eks:ListUpdates",
                "eks:ListClusters",
                "eks:ListNodegroups",
                "eks:ListAddons",
                "eks:ListFargateProfiles"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "eks:CreateCluster",
                "eks:CreateNodegroup",
                "eks:CreateFargateProfile"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:RequestTag/<KEY>": "<VALUE>"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "eks:TagResource"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:RequestTag/<KEY>": "<VALUE>"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "eks:UpdateClusterVersion",
                "eks:UpdateClusterConfig",
                "eks:DeleteCluster",
                "eks:UpdateAddon",
                "eks:UpdateNodegroupConfig",
                "eks:UpdateNodegroupVersion",
                "eks:CreateAddon",
                "eks:DeleteAddon",
                "eks:DeleteNodegroup",
                "eks:DeleteFargateProfile",
                "eks:UntagResource"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/<KEY>": "<VALUE>"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "autoscaling:DescribeAutoScalingGroups",
                "autoscaling:DescribeLaunchConfigurations",
                "autoscaling:DescribeScheduledActions",
                "autoscaling:DescribeScalingActivities"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "autoscaling:CreateOrUpdateTags",
                "autoscaling:CreateLaunchConfiguration",
                "autoscaling:CreateAutoScalingGroup"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:RequestTag/<KEY>": "<VALUE>"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "autoscaling:TerminateInstanceInAutoScalingGroup",
                "autoscaling:SetDesiredCapacity",
                "autoscaling:UpdateAutoScalingGroup",
                "autoscaling:DeleteAutoScalingGroup",
                "autoscaling:SuspendProcesses",
                "autoscaling:DeleteTags",
                "autoscaling:DeleteLaunchConfiguration"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/<KEY>": "<VALUE>"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeVpcAttribute",
                "ec2:DescribeInternetGateways",
                "ec2:DescribeTags",
                "ec2:DescribeRouteTables",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeVolumes",
                "ec2:DescribeSubnets",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeImages",
                "ec2:describeAddresses",
                "ec2:DescribeVpcs",
                "ec2:DescribeLaunchTemplates",
                "ec2:DescribeLaunchTemplateVersions",
                "ec2:DescribeImageAttribute",
                "ec2:DescribeKeyPairs",
                "ec2:DescribeInstances",
                "ec2:DescribeInstanceTypeOfferings"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:RunInstances"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:CreateLaunchTemplate",
                "ec2:CreateLaunchTemplateVersion",
                "ec2:DeleteLaunchTemplate",
                "ec2:ImportKeyPair"
            ],
            "Resource": "*",
            "Condition": {
                "ForAllValues:StringEquals": {
                    "aws:TagKeys": "<KEY>"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DeleteTags",
                "ec2:AssociateRouteTable",
                "ec2:ReleaseAddress",
                "ec2:AllocateAddress"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/<KEY>": "<VALUE>"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:CreateTags"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:RequestTag/<KEY>": "<VALUE>"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:CreateSecurityGroup"
            ],
            "Resource": "*",
            "Condition": {
                "ForAllValues:StringEquals": {
                    "aws:TagKeys": "<KEY>"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DeleteSecurityGroup",
                "ec2:RevokeSecurityGroupEgress",
                "ec2:AuthorizeSecurityGroupEgress",
                "ec2:RevokeSecurityGroupIngress",
                "ec2:AuthorizeSecurityGroupIngress"
            ],
            "Resource": "*",
            "Condition": {
                "ForAllValues:StringEquals": {
                    "aws:TagKeys": ["<KEY>","aws:eks:cluster-name"]
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:ModifySecurityGroupRules",
                "ec2:UpdateSecurityGroupRuleDescriptionsIngress",
                "ec2:UpdateSecurityGroupRuleDescriptionsEgress"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/<KEY>": "<VALUE>"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": "ssm:GetParameter",
            "Resource": "arn:aws:ssm:*:*:parameter/aws/service/*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "kms:DescribeKey"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "kms:CreateGrant"
            ],
            "Resource": "*"
        }
    ]
}

Note

For customers who will manage their own IAM Roles and Policies, (3) ARNs are required when provisioning managed K8s clusters.

  1. Service Role ARN
  2. Instance Profile ARN
  3. Instance Role ARN

IAM Roles and Policies