AD Gateway Deployment IAM Policy
In order to deploy and manage the CLICK AD Gateway CloudFormation Stack, you will need all the permissions required to create, modify, and delete its resources. Typically, an AWS Admin role is appropriate to use for this task and will have the necessary permissions. However, if you wish to create a user or role specifically for managing the stack, you can create a managed policy using the below policy document.
Yikes, that's a lot!
We realize there are a lot of individual permissions statements required. The AWS Web Console utilizes AWS API calls to unexpected commands in unexpected places. We built this policy by walking through the deployment process and adding permissions as required for the normal operations of deploying, updating, and deleting the stack.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"lambda:CreateFunction",
"logs:DeleteSubscriptionFilter",
"logs:DescribeSubscriptionFilters",
"logs:StartQuery",
"lambda:GetFunctionConfiguration",
"logs:DescribeMetricFilters",
"cloudformation:CreateChangeSet",
"iam:PutRolePolicy",
"logs:ListLogDeliveries",
"sns:ListEndpointsByPlatformApplication",
"cloudformation:DescribeStackEvents",
"logs:TagLogGroup",
"kms:Encrypt",
"sns:DeletePlatformApplication",
"cloudformation:UpdateStack",
"lambda:DeleteFunction",
"sns:Subscribe",
"sns:ConfirmSubscription",
"events:RemoveTargets",
"logs:FilterLogEvents",
"cloudformation:DescribeChangeSet",
"iam:ListRolePolicies",
"logs:DescribeDestinations",
"cloudformation:ListStackResources",
"iam:ListPolicies",
"iam:GetRole",
"events:DescribeRule",
"sns:ListSubscriptionsByTopic",
"lambda:ListFunctions",
"iam:GetPolicy",
"sns:CreateTopic",
"iam:DeleteRole",
"iam:UpdateRoleDescription",
"kms:RetireGrant",
"lambda:UpdateFunctionCode",
"cloudformation:GetStackPolicy",
"cloudformation:DeleteStack",
"kms:RevokeGrant",
"lambda:PublishVersion",
"logs:PutSubscriptionFilter",
"lambda:DeleteEventSourceMapping",
"ec2:DescribeSubnets",
"iam:GetRolePolicy",
"sns:TagResource",
"logs:ListTagsLogGroup",
"iam:UntagRole",
"kms:PutKeyPolicy",
"iam:TagRole",
"events:PutRule",
"sns:ListTopics",
"sns:CreatePlatformEndpoint",
"logs:DeleteLogStream",
"logs:CreateExportTask",
"iam:PassRole",
"logs:DeleteMetricFilter",
"iam:DeleteRolePolicy",
"kms:CreateKey",
"ssm:GetParametersByPath",
"logs:DeleteLogDelivery",
"kms:CreateGrant",
"logs:PutDestination",
"logs:DisassociateKmsKey",
"sns:GetTopicAttributes",
"logs:UntagLogGroup",
"kms:GetKeyPolicy",
"sns:CreatePlatformApplication",
"lambda:UpdateFunctionConfiguration",
"sns:SetSMSAttributes",
"iam:ListRoles",
"logs:TestMetricFilter",
"sns:ListSubscriptions",
"ec2:DescribeSecurityGroups",
"events:DeleteRule",
"iam:CreateServiceLinkedRole",
"ec2:DescribeVpcs",
"kms:ListAliases",
"iam:UpdateRole",
"iam:GetUser",
"logs:GetLogGroupFields",
"lambda:RemovePermission",
"sns:ListPlatformApplications",
"iam:UpdateAssumeRolePolicy",
"iam:GetPolicyVersion",
"logs:GetLogRecord",
"kms:Decrypt",
"sns:Unsubscribe",
"iam:CreateRole",
"cloudformation:DescribeStackResource",
"iam:AttachRolePolicy",
"ssm:GetParameter",
"sns:OptInPhoneNumber",
"sns:SetEndpointAttributes",
"ssm:DeleteParameter",
"logs:CreateLogStream",
"iam:DetachRolePolicy",
"ssm:DescribeParameters",
"iam:ListAttachedRolePolicies",
"logs:CancelExportTask",
"sns:SetPlatformApplicationAttributes",
"logs:DeleteRetentionPolicy",
"logs:GetLogEvents",
"events:ListRules",
"cloudformation:ExecuteChangeSet",
"sns:ListTagsForResource",
"cloudformation:DescribeStackResources",
"sns:GetPlatformApplicationAttributes",
"logs:StopQuery",
"sns:GetSubscriptionAttributes",
"ssm:GetParameters",
"logs:CreateLogGroup",
"ssm:DeleteParameters",
"cloudformation:DescribeStacks",
"sns:DeleteEndpoint",
"ssm:PutParameter",
"logs:PutMetricFilter",
"logs:CreateLogDelivery",
"sns:GetEndpointAttributes",
"logs:PutResourcePolicy",
"logs:DescribeExportTasks",
"logs:GetQueryResults",
"iam:GetUserPolicy",
"logs:UpdateLogDelivery",
"lambda:ListVersionsByFunction",
"sns:DeleteTopic",
"logs:DescribeLogStreams",
"sns:SetTopicAttributes",
"lambda:CreateEventSourceMapping",
"sns:UntagResource",
"logs:GetLogDelivery",
"cloudformation:DeleteChangeSet",
"logs:DeleteResourcePolicy",
"sns:Publish",
"ec2:DescribeNetworkInterfaces",
"iam:ListAttachedUserPolicies",
"kms:DescribeKey",
"logs:AssociateKmsKey",
"logs:DescribeResourcePolicies",
"logs:DescribeQueries",
"cloudformation:ListStacks",
"logs:DescribeLogGroups",
"logs:DeleteLogGroup",
"lambda:GetFunction",
"logs:PutDestinationPolicy",
"iam:ListUserPolicies",
"logs:DeleteDestination",
"iam:TagUser",
"logs:PutLogEvents",
"cloudformation:GetTemplateSummary",
"kms:ListGrants",
"iam:UntagUser",
"kms:ListKeys",
"events:PutTargets",
"lambda:AddPermission",
"sns:SetSubscriptionAttributes",
"iam:ListPolicyVersions",
"cloudformation:CreateStack",
"ec2:DescribeSecurityGroupReferences",
"iam:ListUsers",
"logs:PutRetentionPolicy",
"cloudformation:ListChangeSets"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::click-ad-gateway/*"
}
]
}
Updated over 4 years ago