Creating an IAM Policy

In AWS, an IAM policy defines the permissions of the user accounts associated with this policy.

The Automated Cloud Mode (AWS) of Solution Manager uses the AWS API to perform actions in your AWS account on your behalf, so you do not have to do them. For example, create EC2 instances that will run the Denodo components, create the necessary load balancers, etc.

To do this, before using the Automated Cloud Mode, you have to define an IAM policy that allows the service account associated with the Solution Manager to invoke all the necessary operations of the AWS API. We provide the policy file and you only have to define it in your AWS account.

Follow these steps to do create this IAM policy:

  1. Log into the AWS Management Console.

  2. Go to IAM.

  3. In the left panel, expand Access management and click on Policies.

  4. Click on Create policy.

  5. Download this file to your computer: Denodo_Solution_Manager_8_0_IAM_PolicyPermissions.json

    This JSON file defines the privileges of the new IAM policy. The Solution Manager requires all these privileges to be able to perform all the actions that users can do using the Solution Manager.

    For evaluations and simple deployments, we recommend using this file. If you want to restrict the actions the Solution Manager can do in AWS on your behalf, read these sections. They list each privilege of this policy file and what feature of the Solution Manager it affects:

  6. Click the tab JSON, clear the content of the text box and paste the content of the file you just downloaded. Then, click on Review policy. If the AWS console shows any warning message regarding the JSON, ignore it and continue with the policy creation.

  7. Enter the name denodo_80_solution_manager (you can use another name if you prefer) and a description of the new policy. Then, click on Create policy.

Main Features

For evaluations and simple deployments, we recommend creating the IAM policy using the policy file we provide. If you want to restrict the actions the Solution Manager can do on your AWS account, take this into consideration:

  • You cannot remove from the policy the permissions that in the table below are marked with Required = Yes. If you remove any of them, you will not be able to use the Automated Cloud Mode of the Solution Manager because all the operations will fail.

  • You can remove the permissions with the column Required = No but take into account that the feature associated to that permission will not work. If you try to perform that action, you will get an error.

IAM Policy Services required by the main features of the Solution Manager

Service

Action

Required

Usage

EC2

Tagging

CreateTags

Yes

Required to name the resources created automatically

DeleteTags

No

Required to delete the named resources created automatically

Write

AttachInternetGateway

No

Required when using public ELBs

DeregisterImage

Yes

Required to automate the installation of updates, cloud deployments, recreate instances and automate the TLS configuration

CreateRoute

No

Required when using public ELBs or VPCs managed by the Solution Manager

CreateInternetGateway

No

Required when using public ELBs

DeleteRoute

No

Required to automated the management of public ELBs and/or VPCs

DeleteSnapshot

Yes

Required to automate the installation of updates, cloud deployments, recreate instances and automate the TLS configuration

DeregisterImage

Yes

Required to automate the installation of updates, cloud deployments, recreate instances and automate the TLS configuration

ModifyInstanceAttribute

Yes

Required to set the instance user data

RebootInstances

Yes

Required to launch the instances

RunInstances

Yes

Required to launch the instances

StartInstances

Yes

Required to launch the instances

StopInstances

Yes

Required to launch the instances

TerminateInstances

Yes

Required to launch the instances

List

DescribeImages

Yes

Required to launch the instances

DescribeInstances

Yes

Required to launch the instances

DescribeInternetGateways

No

Required when using public ELBs

DescribeKeyPairs

Yes

Required to list the available Key Pairs

DescribeRegions

Yes

Required to list available Regions

DescribeRouteTables

No

Required when using public ELBs or VPCs managed by the Solution Manager

DescribeSecurityGroups

Yes

Required to list available Security Groups

DescribeSubnets

Yes

Required to list available subnets

DescribeVpcs

Yes

Required to list available VPCs

Read

DescribeTags

No

Required to name the resources created automatically

ELB v2

Write

CreateListener

Yes

Required to create the ELBs

CreateLoadBalancer

Yes

Required to create the ELBs

CreateTargetGroup

Yes

Required to create the ELBs

DeleteListener

Yes

Required to create the ELBs

DeleteLoadBalancer

Yes

Required to create the ELBs

DeleteTargetGroup

Yes

Required to create the ELBs

DeregisterTargets

No

Required to use the “minimizing downtime” option

ModifyListener

Yes

Required to create the ELBs

ModifyTargetGroupAttributes

Yes

Required to create the ELBs

RegisterTargets

Yes

Required to create the ELBs

Read

DescribeListeners

Yes

Required to create the ELBs

DescribeLoadBalancers

Yes

Required to create the ELBs

DescribeTargetGroups

Yes

Required to create the ELBs

DescribeTargetHealth

No

Required to use the “minimizing downtime” option

IAM

Write

PassRole

No

Required to store the logs in S3 and automate the installation of updates

Read

GetUser

Yes

Required to obtain the account information

List

ListInstanceProfiles

No

Required to store the logs in S3 and automate the installation of updates

S3

Write

DeleteObject

No

Required to store the logs in S3 and automate the installation of updates

PutObject

No

Required to store the logs in S3 and automate the installation of updates

Read

GetBucketLocation

No

Required to store the logs in S3 and automate the installation of updates

sts

Write

DecodeAuthorizationMessage

Yes

Required to obtain the actual authentication error from AWS

Automated VPC Management

When you create an environment using the Automated Mode, you can choose if you want the Solution Manager to create a Virtual Private Cloud (VPC) for the new EC2 instances or use an existing VPC.

If you do not want to allow the Solution Manager to create and manage the VPCs, you can remove the following permissions from the policy.

IAM Policy Services required by the VPC management feature

Service

Action

EC2

Write

AcceptVpcPeeringConnection

CreateVpcPeeringConnection

DeleteVpcPeeringConnection

ModifyVpcAttribute

ModifyVpcPeeringConnectionOptions

CreateRoute

DeleteRoute

ReplaceRoute

List

DescribeVpcAttribute

DescribeVpcPeeringConnections

DescribeRouteTables

Automated Subnet Management

When you create a cluster using the Automated Mode, you can choose if you want the Solution Manager to create a subnet for the new components or use an existing subnet.

If you do not want to allow the Solution Manager to create and manage the subnets, you can remove the following permissions from the policy.

IAM Policy Services required by the subnet management feature

Service

Action

EC2

Write

CreateSubnet

ModifySubnetAttribute

Automated Auto Scaling Group Management

When you create a cluster using the Automated Mode, you can choose if you want the Solution Manager to launch the EC2 instances in an auto scaling group.

If you do not want to allow the Solution Manager to create and manage the auto scaling groups, you can remove following permissions from the policy.

IAM Policy Services required by the Auto Scaling Group management feature

Service

Action

EC2

Write

CreateLaunchTemplate

CreateLaunchTemplateVersion

DeleteLaunchTemplate

DeleteLaunchTemplateVersions

ModifyLaunchTemplate

List

DescribeLaunchTemplateVersions

EC2 Auto Scaling

Write

AttachInstances

AttachLoadBalancerTargetGroups

CreateAutoScalingGroup

DeleteAutoScalingGroup

DetachInstances

DetachLoadBalancerTargetGroups

UpdateAutoScalingGroup

List

DescribeAutoScalingGroups

DescribeScalingActivities

Automated Security Group Management

When you create a cluster using the Automated Mode, you can choose if you want the Solution Manager to create a security group with the required configuration or choose an existing security group.

If you do not want to allow the Solution Manager to create and manage the security groups, you can remove the following permissions from the policy.

IAM Policy Services required by the automated Security Group management feature of the Denodo Platform

Service

Action

EC2

Write

AuthorizeSecurityGroupIngress

CreateSecurityGroup

DeleteSecurityGroup