Required IAM Permissions for Qualdo-DRX installation:ΒΆ
Please ensure that the AWS IAM user has the required permissions,
as mentioned below, to successfully deploy Qualdo-DRX.
You can find the AWS IAM user in the navigation bar as shown below.
You can create and attach policy using JSON
to enable the permissions.
If necessary, please contact your AWS admin who will be able to help
you create and attach policies to the AWS IAM user.
Use this JSON to create policy and attach to the AWS IAM user. Please check "Related Resources" given below for more details on creating and attaching policies using JSON.
Json Format policies:
- You can simply copy and paste these below permissions and actions to the AWS IAM user that will be used for Qualdo-DRX deployment.
Note
Please use a Separate IAM user for deploying Qualdo-DRX. Avoid using the root user for the deployment. Without the required IAM permissions and actions the Qualdo-DRX deployment may fail.
Copy{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "acm:DeleteCertificate", "acm:DescribeCertificate", "acm:GetCertificate", "acm:ListCertificates", "acm:RequestCertificate", "apigateway:GET", "apigateway:SetWebACL", "appsync:ListGraphqlApis", "appsync:SetWebACL", "aws-marketplace:ListBuilds", "aws-marketplace:StartBuild", "aws-marketplace:Subscribe", "aws-marketplace:ViewSubscriptions", "cloudformation:CreateStack", "cloudformation:CreateUploadBucket", "cloudformation:DeleteStack", "cloudformation:DescribeStackEvents", "cloudformation:DescribeStacks", "cloudformation:GetTemplateSummary", "cloudformation:ListStacks", "cloudformation:UpdateStack", "cloudfront:ListDistributions", "cloudfront:ListDistributionsByWebACLId", "cloudfront:UpdateDistribution", "cloudwatch:GetMetricData", "cloudwatch:GetMetricStatistics", "cloudwatch:ListMetrics", "cognito-idp:AssociateWebACL", "cognito-idp:DisassociateWebACL", "cognito-idp:GetWebACLForResource", "cognito-idp:ListResourcesForWebACL", "cognito-idp:ListUserPools", "ec2:AllocateAddress", "ec2:AssociateAddress", "ec2:AssociateRouteTable", "ec2:AttachInternetGateway", "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateInternetGateway", "ec2:CreateKeyPair", "ec2:CreateNatGateway", "ec2:CreateRoute", "ec2:CreateRouteTable", "ec2:CreateSecurityGroup", "ec2:CreateSubnet", "ec2:CreateTags", "ec2:CreateVpc", "ec2:DeleteInternetGateway", "ec2:DeleteKeyPair", "ec2:DeleteNatGateway", "ec2:DeleteRoute", "ec2:DeleteRouteTable", "ec2:DeleteSecurityGroup", "ec2:DeleteSubnet", "ec2:DeleteVpc", "ec2:DescribeAccountAttributes", "ec2:DescribeAddresses", "ec2:DescribeAddressesAttribute", "ec2:DescribeAvailabilityZones", "ec2:DescribeDhcpOptions", "ec2:DescribeInstances", "ec2:DescribeInternetGateways", "ec2:DescribeKeyPairs", "ec2:DescribeNatGateways", "ec2:DescribeRegions", "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroupRules", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeVpcs", "ec2:DetachInternetGateway", "ec2:DisassociateAddress", "ec2:DisassociateRouteTable", "ec2:GetConsoleOutput", "ec2:ModifySecurityGroupRules", "ec2:ModifyVpcAttribute", "ec2:ReleaseAddress", "ec2:RevokeSecurityGroupEgress", "ec2:RevokeSecurityGroupIngress", "ec2:RunInstances", "ec2:TerminateInstances", "ecr:BatchGetImage", "ecr:DescribeImages", "ecr:GetAuthorizationToken", "ecr:GetDownloadUrlForLayer", "eks:CreateCluster", "eks:CreateNodegroup", "eks:DeleteCluster", "eks:DeleteNodegroup", "eks:DescribeCluster", "eks:DescribeNodegroup", "eks:ListClusters", "eks:TagResource", "elasticloadbalancing:AddTags", "elasticloadbalancing:CreateLoadBalancer", "elasticloadbalancing:DeleteLoadBalancer", "elasticloadbalancing:DeleteTargetGroup", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:SetWebACL", "elasticloadbalancing:SetWebAcl", "elasticmapreduce:TerminateJobFlows", "iam:AddRoleToInstanceProfile", "iam:AttachGroupPolicy", "iam:AttachRolePolicy", "iam:CreateAccessKey", "iam:CreateGroup", "iam:CreateInstanceProfile", "iam:CreateOpenIDConnectProvider", "iam:CreatePolicy", "iam:CreateRole", "iam:CreateServiceLinkedRole", "iam:DeleteAccessKey", "iam:DeleteGroup", "iam:DeleteInstanceProfile", "iam:DeleteOpenIDConnectProvider", "iam:DeletePolicy", "iam:DeleteRole", "iam:DeleteRolePolicy", "iam:DetachGroupPolicy", "iam:DetachRolePolicy", "iam:GetGroup", "iam:GetInstanceProfile", "iam:GetOpenIDConnectProvider", "iam:GetPolicy", "iam:GetPolicyVersion", "iam:GetRole", "iam:GetRolePolicy", "iam:ListAccessKeys", "iam:ListAttachedRolePolicies", "iam:ListEntitiesForPolicy", "iam:ListOpenIDConnectProviders", "iam:ListPolicies", "iam:ListPolicyVersions", "iam:ListRoles", "iam:ListSAMLProviders", "iam:PassRole", "iam:PutRolePolicy", "iam:RemoveRoleFromInstanceProfile", "iam:TagOpenIDConnectProvider", "lambda:CreateFunction", "lambda:DeleteFunction", "lambda:GetFunction", "lambda:InvokeFunction", "lambda:TagResource", "license-manager:CheckoutLicense", "logs:DescribeLogGroups", "logs:DescribeResourcePolicies", "rds:AddTagsToResource", "rds:AuthorizeDBSecurityGroupIngress", "rds:CreateDBInstance", "rds:CreateDBSubnetGroup", "rds:DeleteDBInstance", "rds:DeleteDBSubnetGroup", "rds:DescribeAccountAttributes", "rds:DescribeDBInstances", "rds:DescribeDBSubnetGroups", "rds:ListTagsForResource", "s3:CreateBucket", "s3:DeleteBucket", "s3:DeleteBucketPolicy", "s3:DeleteObject", "s3:GetBucketVersioning", "s3:GetObject", "s3:ListAllMyBuckets", "s3:ListBucket", "s3:ListBucketVersions", "s3:PutBucketAcl", "s3:PutBucketOwnershipControls", "s3:PutBucketPolicy", "s3:PutBucketPublicAccessBlock", "s3:PutBucketTagging", "s3:PutBucketVersioning", "s3:PutEncryptionConfiguration", "s3:PutLifecycleConfiguration", "s3:PutObject", "secretsmanager:CreateSecret", "secretsmanager:DeleteSecret", "secretsmanager:GetRandomPassword", "secretsmanager:GetSecretValue", "secretsmanager:TagResource", "sns:ListTopics", "ssm:AddTagsToResource", "ssm:DeleteParameter", "ssm:DeleteParameters", "ssm:DescribeParameters", "ssm:GetParameter", "ssm:GetParameters", "ssm:PutParameter", "waf-regional:AssociateWebACL", "waf-regional:DisassociateWebACL", "waf-regional:GetSampledRequests", "waf-regional:GetWebACL", "waf-regional:GetWebACLForResource", "waf-regional:ListResourcesForWebACL", "waf-regional:ListWebACLs", "waf:GetSampledRequests", "waf:GetWebACL", "waf:ListWebACLs", "wafv2:AssociateWebACL", "wafv2:CreateWebACL", "wafv2:DeleteWebACL", "wafv2:DisassociateWebACL", "wafv2:GetSampledRequests", "wafv2:GetWebACL", "wafv2:GetWebACLForResource", "wafv2:ListResourcesForWebACL", "wafv2:ListWebACLs" ], "Resource": "*" }, { "Sid": "RDSServiceLinkedRole", "Action": "iam:CreateServiceLinkedRole", "Effect": "Allow", "Resource": "arn:aws:iam::*:role/aws-service-role/rds.amazonaws.com/AWSServiceRoleForRDS", "Condition": { "StringLike": { "iam:AWSServiceName": "rds.amazonaws.com" } } } ] }