Untrusted tenants- use the account access and secret keys. The access and secret keys being used must be for an IAM user having
these permissions at a minimum. The IAM role created must be named ApicTenantRole
.
Note
|
Cisco Cloud Network Controller does not disturb AWS resources created by other applications or users. It only manages the
AWS resources created by itself.
|
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:DeleteInternetGateway",
"ec2:DeleteSecurityGroup",
"ec2:DeleteSubnet",
"ec2:DeleteVpc*",
"ec2:DeleteVpn*"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Action": [
"ec2:AssociateRouteTable",
"ec2:AssociateVpcCidrBlock",
"ec2:AssociateTransitGatewayRouteTable",
"ec2:AttachInternetGateway",
"ec2:AttachVpnGateway",
"ec2:AuthorizeSecurityGroup*",
"ec2:CreateFlowLogs",
"ec2:CreateInternetGateway",
"ec2:CreateRoute*",
"ec2:CreateSecurityGroup",
"ec2:CreateSubnet",
"ec2:CreateTags",
"ec2:CreateTransitGatewayVpcAttachment",
"ec2:CreateVpc*",
"ec2:CreateVpn*",
"ec2:DeleteFlowLogs",
"ec2:DeleteRoute*",
"ec2:DeleteTags",
"ec2:DetachInternetGateway",
"ec2:DetachVpnGateway",
"ec2:DeleteCustomerGateway",
"ec2:DescribeCustomerGateways",
"ec2:CreateCustomerGateway",
"ec2:DisableTransitGatewayRouteTablePropagation",
"ec2:DisassociateRouteTable",
"ec2:DisassociateTransitGatewayRouteTable",
"ec2:DisassociateVpcCidrBlock",
"ec2:EnableTransitGatewayRouteTablePropagation",
"ec2:EnableVgwRoutePropagation",
"ec2:GetManagedPrefixListEntries",
"ec2:GetTransitGatewayRouteTableAssociations",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:ModifySubnetAttribute",
"ec2:ModifyTransitGatewayVpcAttachment",
"ec2:ModifyVpcAttribute",
"ec2:ModifyVpcEndpoint",
"ec2:ResetNetworkInterfaceAttribute",
"ec2:RevokeSecurityGroup*",
"ec2:SearchTransitGatewayRoutes"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Action": [
"s3:*"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Action": [
"elasticloadbalancing:AddListenerCertificates",
"elasticloadbalancing:AddTags",
"elasticloadbalancing:CreateListener",
"elasticloadbalancing:CreateLoadBalancer",
"elasticloadbalancing:CreateRule",
"elasticloadbalancing:CreateTargetGroup",
"elasticloadbalancing:DeleteListener",
"elasticloadbalancing:DeleteLoadBalancer",
"elasticloadbalancing:DeleteRule",
"elasticloadbalancing:DeleteTargetGroup",
"elasticloadbalancing:DeregisterTargets",
"elasticloadbalancing:ModifyListener",
"elasticloadbalancing:ModifyRule",
"elasticloadbalancing:ModifyTargetGroup",
"elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:RemoveListenerCertificates",
"elasticloadbalancing:RemoveTags",
"elasticloadbalancing:SetIpAddressType",
"elasticloadbalancing:SetRulePriorities",
"elasticloadbalancing:SetSecurityGroups",
"elasticloadbalancing:SetSubnets"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"config:*"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Action": [
"sqs:CreateQueue",
"sqs:DeleteMessage",
"sqs:DeleteQueue",
"sqs:GetQueueAttributes",
"sqs:GetQueueUrl",
"sqs:ListQueueTags",
"sqs:ListQueues",
"sqs:ReceiveMessage",
"sqs:SetQueueAttributes",
"sqs:TagQueue"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"cloudtrail:AddTags",
"cloudtrail:CreateTrail",
"cloudtrail:GetTrailStatus",
"cloudtrail:StartLogging",
"cloudtrail:DeleteTrail"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Action": [
"cloudwatch:DeleteAlarms",
"cloudwatch:GetMetricStatistics",
"cloudwatch:PutMetricAlarm"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Action": [
"events:DeleteRule",
"events:DisableRule",
"events:EnableRule",
"events:ListRuleNamesByTarget",
"events:ListRules",
"events:ListTargetsByRule",
"events:PutRule",
"events:PutTargets",
"events:RemoveTargets"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:DeleteLogGroup",
"logs:DeleteLogStream",
"logs:FilterLogEvents",
"logs:ListTagsLogGroup",
"logs:PutRetentionPolicy",
"logs:PutLogEvents",
"logs:TagLogGroup"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"acm:DeleteCertificate",
"acm:ImportCertificate"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"resource-groups:CreateGroup",
"resource-groups:DeleteGroup",
"resource-groups:GetGroup",
"resource-groups:GetGroupQuery",
"resource-groups:UpdateGroupQuery"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ram:AcceptResourceShareInvitation",
"ram:DeleteResourceShare",
"ram:GetResourceShareInvitations",
"ram:GetResourceShares"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ec2:Describe*",
"elasticloadbalancing:Describe*",
"cloudtrail:Describe*",
"logs:Describe*",
"events:Describe*"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"iam:List*",
"iam:Get*",
"iam:CreateServiceLinkedRole",
"iam:DeleteServiceLinkedRole",
"iam:GetServiceLinkedRoleDeletionStatus",
"iam:AttachRolePolicy",
"iam:PutRolePolicy",
"iam:UpdateRoleDescription",
"iam:UploadServerCertificate",
"iam:DeleteServerCertificate",
"iam:UpdateRoleDescription",
"iam:PassRole"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::672831875017:role/ApicTenantRole",
"Effect": "Allow"
}
]
}