AD Gateway Deployment IAM Policy

In order to deploy and manage the CLICK AD Gateway CloudFormation Stack, you will need all the permissions required to create, modify, and delete its resources. Typically, an AWS Admin role is appropriate to use for this task and will have the necessary permissions. However, if you wish to create a user or role specifically for managing the stack, you can create a managed policy using the below policy document.

📘

Yikes, that's a lot!

We realize there are a lot of individual permissions statements required. The AWS Web Console utilizes AWS API calls to unexpected commands in unexpected places. We built this policy by walking through the deployment process and adding permissions as required for the normal operations of deploying, updating, and deleting the stack.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "lambda:CreateFunction",
                "logs:DeleteSubscriptionFilter",
                "logs:DescribeSubscriptionFilters",
                "logs:StartQuery",
                "lambda:GetFunctionConfiguration",
                "logs:DescribeMetricFilters",
                "cloudformation:CreateChangeSet",
                "iam:PutRolePolicy",
                "logs:ListLogDeliveries",
                "sns:ListEndpointsByPlatformApplication",
                "cloudformation:DescribeStackEvents",
                "logs:TagLogGroup",
                "kms:Encrypt",
                "sns:DeletePlatformApplication",
                "cloudformation:UpdateStack",
                "lambda:DeleteFunction",
                "sns:Subscribe",
                "sns:ConfirmSubscription",
                "events:RemoveTargets",
                "logs:FilterLogEvents",
                "cloudformation:DescribeChangeSet",
                "iam:ListRolePolicies",
                "logs:DescribeDestinations",
                "cloudformation:ListStackResources",
                "iam:ListPolicies",
                "iam:GetRole",
                "events:DescribeRule",
                "sns:ListSubscriptionsByTopic",
                "lambda:ListFunctions",
                "iam:GetPolicy",
                "sns:CreateTopic",
                "iam:DeleteRole",
                "iam:UpdateRoleDescription",
                "kms:RetireGrant",
                "lambda:UpdateFunctionCode",
                "cloudformation:GetStackPolicy",
                "cloudformation:DeleteStack",
                "kms:RevokeGrant",
                "lambda:PublishVersion",
                "logs:PutSubscriptionFilter",
                "lambda:DeleteEventSourceMapping",
                "ec2:DescribeSubnets",
                "iam:GetRolePolicy",
                "sns:TagResource",
                "logs:ListTagsLogGroup",
                "iam:UntagRole",
                "kms:PutKeyPolicy",
                "iam:TagRole",
                "events:PutRule",
                "sns:ListTopics",
                "sns:CreatePlatformEndpoint",
                "logs:DeleteLogStream",
                "logs:CreateExportTask",
                "iam:PassRole",
                "logs:DeleteMetricFilter",
                "iam:DeleteRolePolicy",
                "kms:CreateKey",
                "ssm:GetParametersByPath",
                "logs:DeleteLogDelivery",
                "kms:CreateGrant",
                "logs:PutDestination",
                "logs:DisassociateKmsKey",
                "sns:GetTopicAttributes",
                "logs:UntagLogGroup",
                "kms:GetKeyPolicy",
                "sns:CreatePlatformApplication",
                "lambda:UpdateFunctionConfiguration",
                "sns:SetSMSAttributes",
                "iam:ListRoles",
                "logs:TestMetricFilter",
                "sns:ListSubscriptions",
                "ec2:DescribeSecurityGroups",
                "events:DeleteRule",
                "iam:CreateServiceLinkedRole",
                "ec2:DescribeVpcs",
                "kms:ListAliases",
                "iam:UpdateRole",
                "iam:GetUser",
                "logs:GetLogGroupFields",
                "lambda:RemovePermission",
                "sns:ListPlatformApplications",
                "iam:UpdateAssumeRolePolicy",
                "iam:GetPolicyVersion",
                "logs:GetLogRecord",
                "kms:Decrypt",
                "sns:Unsubscribe",
                "iam:CreateRole",
                "cloudformation:DescribeStackResource",
                "iam:AttachRolePolicy",
                "ssm:GetParameter",
                "sns:OptInPhoneNumber",
                "sns:SetEndpointAttributes",
                "ssm:DeleteParameter",
                "logs:CreateLogStream",
                "iam:DetachRolePolicy",
                "ssm:DescribeParameters",
                "iam:ListAttachedRolePolicies",
                "logs:CancelExportTask",
                "sns:SetPlatformApplicationAttributes",
                "logs:DeleteRetentionPolicy",
                "logs:GetLogEvents",
                "events:ListRules",
                "cloudformation:ExecuteChangeSet",
                "sns:ListTagsForResource",
                "cloudformation:DescribeStackResources",
                "sns:GetPlatformApplicationAttributes",
                "logs:StopQuery",
                "sns:GetSubscriptionAttributes",
                "ssm:GetParameters",
                "logs:CreateLogGroup",
                "ssm:DeleteParameters",
                "cloudformation:DescribeStacks",
                "sns:DeleteEndpoint",
                "ssm:PutParameter",
                "logs:PutMetricFilter",
                "logs:CreateLogDelivery",
                "sns:GetEndpointAttributes",
                "logs:PutResourcePolicy",
                "logs:DescribeExportTasks",
                "logs:GetQueryResults",
                "iam:GetUserPolicy",
                "logs:UpdateLogDelivery",
                "lambda:ListVersionsByFunction",
                "sns:DeleteTopic",
                "logs:DescribeLogStreams",
                "sns:SetTopicAttributes",
                "lambda:CreateEventSourceMapping",
                "sns:UntagResource",
                "logs:GetLogDelivery",
                "cloudformation:DeleteChangeSet",
                "logs:DeleteResourcePolicy",
                "sns:Publish",
                "ec2:DescribeNetworkInterfaces",
                "iam:ListAttachedUserPolicies",
                "kms:DescribeKey",
                "logs:AssociateKmsKey",
                "logs:DescribeResourcePolicies",
                "logs:DescribeQueries",
                "cloudformation:ListStacks",
                "logs:DescribeLogGroups",
                "logs:DeleteLogGroup",
                "lambda:GetFunction",
                "logs:PutDestinationPolicy",
                "iam:ListUserPolicies",
                "logs:DeleteDestination",
                "iam:TagUser",
                "logs:PutLogEvents",
                "cloudformation:GetTemplateSummary",
                "kms:ListGrants",
                "iam:UntagUser",
                "kms:ListKeys",
                "events:PutTargets",
                "lambda:AddPermission",
                "sns:SetSubscriptionAttributes",
                "iam:ListPolicyVersions",
                "cloudformation:CreateStack",
                "ec2:DescribeSecurityGroupReferences",
                "iam:ListUsers",
                "logs:PutRetentionPolicy",
                "cloudformation:ListChangeSets"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::click-ad-gateway/*"
        }
    ]
}