AWS IAM Roles and Permissions
Note |
Additional information on AWS IAM roles and permissions is available in the Cisco Cloud APIC for AWS User Guide, including how to configure an AWS provider as one of the following types of tenants:
|
Specific AWS IAM roles and permissions are required for the installation and operation of the Cisco Cloud APIC.
When installing Cisco Cloud APIC using the CloudFormation template (CFT), we recommend installation by a user who has the full Administrator Access on AWS (for example, by a user who has the permission policy ARN arn:aws:iam::aws:policy/AdministratorAccess attached to it, either directly, by using a role policy, or with a user group). However, if there is no user with AWS Administrator Access available, the user installing Cisco Cloud APIC must have this minimum set of permissions:
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "iam:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ec2:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "cloudformation:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "sns:*",
"Resource": "*"
}
]
}
The above permission set is necessary for a user who installs Cisco Cloud APIC using the CFT. Following are more detailed descriptions of each of the required permissions presented above, as shown in the Action lines:
-
iam Permissions: The Cisco Cloud APIC instance is an AWS EC2 instance that runs with an AWS role called ApicAdmin. This role needs to be created by the CloudFormation stack. Running the Cisco Cloud APIC instance with the ApicAdmin role allows the Cisco Cloud APIC instance to get temporary credentials using the AWS metadata service. This frees the Cisco Cloud APIC instance from having to use fixed access key IDs and secret access keys for making AWS API calls.
-
ec2 Permissions: Needed so that the stack can create the needed VPC, subnets, security groups, and so on. The stack creates the infra VPC, where the Cisco Cloud APIC instance is deployed.
-
cloudformation Permissions: Needed to run the CFT itself.
-
s3 Permissions: Needed so that the CFT is saved in an S3 bucket based on the needs of the AWS CloudFormation stack.
-
sns Permissions: Needed to get notifications for running the CloudFormation stack.
For operations, Cisco Cloud APIC runs with ApicAdmin role. This role has two policies attached, and they get created as part of launching the CloudFormation template:
-
ApicAdminFullAccess Policy: Permissions listed in this policy allows Cisco Cloud APIC to create and manage EC2 and VPC resources, S3 buckets, Resource Groups, account notifications and logs. Note that Cisco Cloud APIC only tries to manage the resources it creates. It does not deal with resources created by any other applications.
This policy should have the following permissions:
{ "Version": "2012-10-17", "Statement": [{ "Action": "organizations:*", "Resource": "*", "Effect": "Allow" }, { "Action": "ec2:*", "Resource": "*", "Effect": "Allow" }, { "Action": "s3:*", "Resource": "*", "Effect": "Allow" }, { "Action": "sqs:*", "Resource": "*", "Effect": "Allow" }, { "Action": "elasticloadbalancing:*", "Resource": "*", "Effect": "Allow" }, { "Action": "acm:*", "Resource": "*", "Effect": "Allow" }, { "Action": "cloudtrail:*", "Resource": "*", "Effect": "Allow" }, { "Action": "cloudwatch:*", "Resource": "*", "Effect": "Allow" }, { "Action": "logs:*", "Resource": "*", "Effect": "Allow" }, { "Action": "resource-groups:*", "Resource": "*", "Effect": "Allow" }, { "Action": "events:*", "Resource": "*", "Effect": "Allow", "Sid": "CloudWatchEventsFullAccess" }, { "Action": "autoscaling:*", "Resource": "*", "Effect": "Allow" } ] }
-
ApicTenantsAccess Policy: Permissions listed in this policy allows Cisco Cloud APIC to assume the role of tenant accounts and call AWS APIs on those tenant AWS accounts. This allows Cisco Cloud APIC to access tenant accounts without having to use the hard credentials of those tenant accounts.
This policy should have the following permissions:
{ "Version": "2012-10-17", "Statement": [{ "Action": "sts:AssumeRole", "Resource": "*", "Effect": "Allow" }] }
Note that Cisco Cloud APIC itself does not need IAM permissions for its operation because it does not create any IAM policies or roles after its installation.
Cisco Cloud APIC will attempt to manage the AWS resources that are created by it, but it will not attempt to manage resources created by other applications, other than listing existing resources as inventory. At the same time, AWS IAM users in those accounts (both the infra account and other tenant accounts) should not interfere with the resources created by Cisco Cloud APIC. Therefore, all resources created by Cisco Cloud APIC on AWS have at least one of these two tags applied on them:
-
AciDnTag
-
AciOwnerTag
Therefore, when you create AWS IAM users who have permission to create, delete or update EC2, VPC and other resources, you must prevent these users from accessing or modifying the resources created and managed by Cisco Cloud APIC. Such restrictions should apply on both the infra and other user tenant accounts. AWS account administrators should use the above two tags to prevent users from accessing or modifying the resources created and managed by Cisco Cloud APIC.
For example, you might have an access policy similar to the following for an IAM user to prevent unintended access to resources managed by Cisco Cloud APIC:
{
"Effect": "Deny",
"Action": [
"ec2:*"
],
"Resource": "*",
"Condition": {
"StringLike": {
"ec2:ResourceTag/AciDnTag": "*"
}
}
}